topic Re: TACACS two factor authentication with DUO in Network Access Control

TACACS two factor authentication with DUO

smano — Thu, 10 Jan 2019 19:53:19 GMT

Hi folks,

I haven't worked much on multi factor authentication on ISE. So it would be great if I get more details on this, The customer needs the below design to support from ISE, is it possible? So basically they want to do TACACS auth for the below devices where the authentication request should go to AD and then once successful it should go to DUO server for phonecall or token? Is there any configuration example which helps the scenerio

List of network devices we will use for testing:

Nexus 7710 - 8.2.1 Code

Nexus 93180 - 7.x

ASR1009 - 16.6.4

ASR9K - 6.2.3

Catalyst 4510 - 3.02.10.SG

WLC 8540 - 8.5.143.0

WLC 5508 - 8.3.133.10

WLC 5760 - 03.07.05E

Cisco PI - 3.4

Cisco ISE - 2.3 Patch 5

Cisco Prime Assurance -

F5 LTM/GTM -

InfoBlox - 8.2.2

Cisco VG350 –

Cisco Call Manager – 11.5.x

Cisco ASA5580 – 8.4.x

FTD - 6.x

Re: TACACS two factor authentication with DUO

Surendra — Thu, 10 Jan 2019 21:09:04 GMT

Configure ISE as a TACACS server and DUO as a RADIUS server on the Network device.

Configure authentication to be done against ISE (Configure ISE to look for the user in AD) and authorization to be done against DUO.

This will work as long as the network device supports different servers for authentication and authorization.

ISE in itself does not support MFA but utilizes the third party device capability to do so. TACACS has a very limited scope when it some to MFA on ISE. For instance : https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

If you plan to use RADIUS, then you can probably try this https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html#anc7 . Here you can check with DUO call or OTP first and then lookup the user in the AD in authorization policies if you choose the option to continue with authorization on Access-Accept.

You cannot do the other way around with ISE with either of the protocols i.e., AD first and then DUO.

Re: TACACS two factor authentication with DUO

smano — Fri, 11 Jan 2019 02:50:58 GMT

Thanks @Surendra for responding, so my understanding is ISE cannot support the customer ask (which is auth goes to AD first and then to token server). ISE can only forward the authentication request to DUO proxy first and then the proxy forwards to AD and duo token server i.e as shown in diagram below. Am I right?

Re: TACACS two factor authentication with DUO

Surendra — Fri, 11 Jan 2019 09:19:56 GMT

With https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html ,

1. ISE forwards/proxies the request to DUO.
2. DUO validates the credentials entered by the user.
3. DUO sends an access-accept back to ISE if the credentials are correct.
4. ISE will lookup the user in the AD.
5. Sned a final access-accept back to the network device.

Re: TACACS two factor authentication with DUO

faylee — Fri, 11 Jan 2019 12:55:26 GMT

Yes, you are correct. What is the reason to hit AD first?

Re: TACACS two factor authentication with DUO

nupur jain — Thu, 04 Apr 2019 14:36:59 GMT

So the auth proxy will check with the AD ( primary auth ) and then with Duo Cloud ( Secondary auth)
Why does ISE have to check with AD again?

Can ISE Integrate with Duo for 2FA, after doing primary auth with AD ( without a auth proxy in the middle)

Re: TACACS two factor authentication with DUO

hasitha siriwardhana — Fri, 05 Apr 2019 10:14:07 GMT

Hi Surendra,

1) Do we need only to add ISE as a radius token server on achieving 2 FA?

2) Without doing ISE for authentication and DUO for authorization, can we done same authentication request get authenticated by ISE and DUO.

regards

hasitha