https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975384#M200 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P> <P>Thank you for your reply, I have attached a screenshot for all required points, so what I'm doing is when the request comes to the FTD it's configured with AAA server (ISE nodes), and the ISE is configured with External radius server (Duo Auth Proxy) which will send the first authentication (Username and Password) to the ISE.</P> <P>Also, I can see this error message, so do you think if we enable the MS-CHAPv2 on the Cisco Duo it will work?</P> <P>allow concat is configured but is not supported with ms-chapv2 authentications. Did you try to concatenate your second factor to your password?</P> <P>Knowing that this setup is working fine with Active Directory as an external identity for authentication.</P> <P>Thank you,</P> <P>Ibrahim</P> Mon, 11 Dec 2023 10:31:35 GMT Ibrahim-Sharif 2023-12-11T10:31:35Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975316#M198 <P>Dear all,</P> <P>Hope you are doing well.</P> <P>I have Cisco FTD configured with remote access VPN and Cisco ISE for AAA services using the local user database on the ISE itself, and now I intend to add the 2FA using Cisco Duo.</P> <P>After completing the configuration on the Cisco ISE and preparing the Cisco Duo Auth proxy, I'm facing an issue with the primary authentication "ISE username &amp; password":</P> <P>Error performing primary authentication: RADIUS auth request timed out</P> <P>Allow concat is configured, but is not supported with MS-CHAPv2 authentications. Did you try to concatenate your second factor to your password?</P> <P>Returning response code 3: AccessReject<BR />(('10.171.22.110', 22043), user1@local, 17): Sending response<BR />dropping packet from 10.171.22.110:1812 - unrecognized ID in response packet: 9</P> <P>In the attached screenshot you can see the traffic flow and topology, as well as the Cisco Auth proxy configuration file.</P> <P>I would appreciate your input in addressing this issue.</P> <P>Thank you,</P> <P>Ibrahim</P> Mon, 11 Dec 2023 07:24:43 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975316#M198 Ibrahim-Sharif 2023-12-11T07:24:43Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975326#M199 <P>I need to see&nbsp;</P> <P>Radius server config&nbsp;</P> <P>Connection profiles/AAA&nbsp;</P> <P>Take screenshots for this and share here let me check it</P> <P>MHM</P> Mon, 11 Dec 2023 08:01:16 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975326#M199 MHM Cisco World 2023-12-11T08:01:16Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975384#M200 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;</P> <P>Thank you for your reply, I have attached a screenshot for all required points, so what I'm doing is when the request comes to the FTD it's configured with AAA server (ISE nodes), and the ISE is configured with External radius server (Duo Auth Proxy) which will send the first authentication (Username and Password) to the ISE.</P> <P>Also, I can see this error message, so do you think if we enable the MS-CHAPv2 on the Cisco Duo it will work?</P> <P>allow concat is configured but is not supported with ms-chapv2 authentications. Did you try to concatenate your second factor to your password?</P> <P>Knowing that this setup is working fine with Active Directory as an external identity for authentication.</P> <P>Thank you,</P> <P>Ibrahim</P> Mon, 11 Dec 2023 10:31:35 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/4975384#M200 Ibrahim-Sharif 2023-12-11T10:31:35Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5297105#M287 <P>Hello Ibrahim,</P><P>Did you manage to integrate Duo MFA with FMC/ISE for RAVPN users?</P><P>We have already got FMC/ISE integrated with RAVPN and want to introduce Duo to the mix, do you have any pointers for me?</P> Fri, 06 Jun 2025 06:43:53 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5297105#M287 alfred 2025-06-06T06:43:53Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5297193#M288 2 ways<BR /><BR /> 1.<BR /> ISE 3.3 or later can integrate with Duo directly<BR /> 2.<BR /> you can use the Duo.Auth Proxy. Have FMC/FTD send its radius queries to the auth proxy and the Auth Proxy can query ISE.<BR /> Fri, 06 Jun 2025 12:09:23 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5297193#M288 Ken Stieers 2025-06-06T12:09:23Z https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5304752#M296 <P>Hi,</P> <P>use pass_through_all</P> <P><A href="https://duo.com/docs/radius" target="_blank">https://duo.com/docs/radius</A></P> Wed, 02 Jul 2025 07:24:00 GMT https://community.cisco.com/t5/deployment-strategy/duo-mfa-with-cisco-ise-and-ftd-ravpn/m-p/5304752#M296 ergin.sezgin 2025-07-02T07:24:00Z