https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3988155#M455507 <P>I don't think this is possible integration point. You can link together like DUO via a RADIUS proxy server like here but not via LDAP that i know of unless your RADIUS proxy can integrate</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231" target="_blank">https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231</A></P> <P>&nbsp;</P> <P>I also tag my coworker&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/113005">@hslai</a>&nbsp;to see if she can take a look</P> Fri, 22 Nov 2019 23:02:35 GMT Jason Kunst 2019-11-22T23:02:35Z https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3986708#M455506 <P>I am in the process of trying to setup an LDAP connection to a MFA proxy server.&nbsp; I am able to test bind the connection and can see the connection on the MFA proxy server.&nbsp; The issue is when I try to login to a Nexus switch I have setup in ISE using tacacs+ for device admin.&nbsp; I never see anything from ISE on the MFA server when this request is done.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Here is what I am seeing in ISE:</P><P>&nbsp;</P><TABLE border="0" cellpadding="3"><TBODY><TR><TD>13005</TD><TD>Received TACACS+ Authorization Request</TD></TR><TR><TD>&nbsp;</TD><TD>15049</TD><TD>Evaluating Policy Group</TD></TR><TR><TD>&nbsp;</TD><TD>15008</TD><TD>Evaluating Service Selection Policy</TD></TR><TR><TD>&nbsp;</TD><TD>15048</TD><TD>Queried PIP - Network Access.Protocol</TD></TR><TR><TD>&nbsp;</TD><TD>15048</TD><TD>Queried PIP - DEVICE.Device Type</TD></TR><TR><TD>&nbsp;</TD><TD>15041</TD><TD>Evaluating Identity Policy</TD></TR><TR><TD>&nbsp;</TD><TD>15013</TD><TD>Selected Identity Source - MFA_test</TD></TR><TR><TD>&nbsp;</TD><TD>24031</TD><TD>Sending request to primary LDAP server - MFA_test</TD></TR><TR><TD>&nbsp;</TD><TD>24016</TD><TD>Looking up user in LDAP Server - MFA_test</TD></TR><TR><TD>&nbsp;</TD><TD>24019</TD><TD>LDAP connection error was encountered - MFA_test (<IMG src="https://172.23.10.185/admin/css/images/alarm_n_16.png" border="0" title="Step latency=45001ms" /> Step latency=45001ms)</TD></TR><TR><TD>&nbsp;</TD><TD>22059</TD><TD>The advanced option that is configured for process failure is used</TD></TR><TR><TD>&nbsp;</TD><TD>22062</TD><TD>The 'Drop' advanced option is configured in case of a failed authentication request</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I am still learning so I am sure there is something I am missing.&nbsp; Are there any other tools on ISe that would assist with investigating this?&nbsp; I am working on setting up sniffer so I don't have that info yet.</P> Wed, 20 Nov 2019 16:18:40 GMT https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3986708#M455506 cscotty1972 2019-11-20T16:18:40Z https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3988155#M455507 <P>I don't think this is possible integration point. You can link together like DUO via a RADIUS proxy server like here but not via LDAP that i know of unless your RADIUS proxy can integrate</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231" target="_blank">https://community.cisco.com/t5/security-documents/how-to-deploy-ise-device-admin-with-duo-mfa/ta-p/3821231</A></P> <P>&nbsp;</P> <P>I also tag my coworker&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/113005">@hslai</a>&nbsp;to see if she can take a look</P> Fri, 22 Nov 2019 23:02:35 GMT https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3988155#M455507 Jason Kunst 2019-11-22T23:02:35Z https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3989209#M455508 <P>Please note MFA may need longer timeouts because it usually waits for the user to respond (e.g. generating a new one-time password).</P> <P>A couple of things to check:</P> <UL> <LI>ISE able to connect to the MFA proxy server via LDAP <UL> <LI>In ISE, verify the test connection</LI> <LI>In MFA proxy, check the connection logs</LI> </UL> </LI> <LI>LDAP server timeouts <UL> <LI>In ISE, each LDAP server connection may have its own timeout and 99 seconds max</LI> <LI>In MFA proxy, check the vendor doc.</LI> </UL> </LI> </UL> <P>&nbsp;</P> Mon, 25 Nov 2019 22:27:27 GMT https://community.cisco.com/t5/network-access-control/ise-ldap-to-mfa-server/m-p/3989209#M455508 hslai 2019-11-25T22:27:27Z