topic Re: RADIUS Token Failover with Duo Proxy Servers in Network Access Control

RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Fri, 19 Oct 2018 14:08:15 GMT

I don't think DUO Proxy matters in this case, but how does radius token Primary and failover server work. I can never get the authentication to access the secondary server. Timeout on primary is 60 seconds. Do I need to lower this?

Policy says "if process fails [DROP]" I assume this means it would query the secondary server in the radius token. Doesnt seem to ever get there.

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Fri, 19 Oct 2018 14:11:22 GMT

Did you make sure to crank up your RADIUS timeout from the network device to ISE to something like 120 seconds? Is the first Duo really not responding? Put a fake IP address in for the first Duo to simulate a not responding. The timeout going to Duo needs to be 60 seconds+ because you need to allow time for the user to do MFA.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Fri, 19 Oct 2018 14:15:53 GMT

I stop the DUO proxy service on the primary server. The ASA VPN device is set for 60 seconds time out to ISE.

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Fri, 19 Oct 2018 14:18:13 GMT

The ASA timeout has to be longer than the timeout going to the Duo servers to allow for the failover. Otherwise the ASA will timeout and start the process over and then ISE starts the process over. I would set ASA to 120 seconds and the time out to Duo 60 seconds. You have both Duos tied together into an identity source sequence? Did you abandon the dual AD individual authentication rule setup?

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Fri, 19 Oct 2018 14:22:47 GMT

So what ended up working was the Radius username attribute looking for domainA\ go to Duo Proxy 1 on port 1812 and then if user not found continue then hits a policy that says look for domainB\ and go to Duo Proxy 1 on port 18120 and if user not found then continue and the last policy is deny access. Thats the identity sequence.

There are two instances of RADIUS tokens, One for port 1812 and one for port 18120 and inside each token there is primary and secondary DUO proxy servers. Ideally it would be nice to get these behind my F5 to LB it and I will get there but have to get this going for now.

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Fri, 19 Oct 2018 14:34:25 GMT

Ahh perfect makes complete sense. In your RADIUS token definition did you define the secondary IP? If so is that what isn't working? You shouldn't be using an identity source sequence for this. You probably need to play around with the timeout on the Duo and attempts. For example if you have timeout set for 60 seconds with 3 attempts it will take ISE 180 seconds to timeout primary IP which is longer than ASA timeout.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Fri, 19 Oct 2018 14:38:17 GMT

I have it set for 60 seconds and 1 retries. The issue is I get like 5 Duo Pushes so the user is going to be so confused. Should I be creating two radius tokens, Duo Proxy 1 port 1812 and Duo Proxy 2 port 1812 and put them in a sequence together?

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Fri, 19 Oct 2018 14:55:25 GMT

How can you get 5 pushes if the primary Duo server is down? I guess I am confused on that point. It sounds like the primary server is really not down. With 60 seconds and 1 retry you are at 120 seconds for ISE to detect the primary Duo is down. So if your ASA timeout is 120 seconds or less the ASA is going to give up. Play around with your timers and really make sure your primary Duo is down. Like I said put a fake IP in the primary Duo to test.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Fri, 19 Oct 2018 15:00:20 GMT

I mean a fake IP would probably work better, but the reality is that my server isnt always hard down, but maybe the service of DUO stopped so I need it to detect outage on that too. I need to better understand the timers it sounds.

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Fri, 19 Oct 2018 15:06:25 GMT

Yeah is there is a soft failure on the Duo that would be a bit harder to detect. You are correct that is where front this environment with an F5 would be the correct answer since the F5 can do complex keep alive checks.

Good luck!

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Wed, 14 Nov 2018 16:30:50 GMT

So back to this mind breaking topic.

Just recently discovered that if a user is configured in AD and NOT in Duo, they can login to the Anyconnect VPN without any issues. I assume its a design issue or a policy issue with how users are authenticated.

There needs to be something that says if the user belongs to AD but doesnt have a DUO account then deny access but cant figure out how to do this with ISE? Is it a matter of the ASA needs to point to the Duo Proxy server and then Duo queries ISE for AD membership?

Re: RADIUS Token Failover with Duo Proxy Servers

hslai — Wed, 14 Nov 2018 17:22:43 GMT

Remote Access VPN using Cisco AnyConnect VPN module to a Cisco ASA head-end has different ways to use DUO as the MFA. If using SAML, then ISE only used in authorization but not in authentication. If using RADIUS, it depends on how DUO policies configured in Duo Admin panel, the configuration on the Duo Auth Proxy, and then the configuration of Network Access policies and elements on ISE.

Thus, please provide details how it's setup so the community may comment better how to adjust it, etc.

Re: RADIUS Token Failover with Duo Proxy Servers

hslai — Wed, 14 Nov 2018 17:43:56 GMT

Just to add...

In case you are using Duo Auth Proxy, then the RADIUS application in Duo Admin Panel may enforce a new user policy to deny access to any users not enrolled.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Wed, 14 Nov 2018 17:48:06 GMT

ASA radius servers are set to ISE. Duo Proxies are set as radius tokens in ISE.

In Duo admin panel, I have the vpn application set to use simple username normalization.

Duo Proxies are configured with ISE Server IP as Radius server.

ISE Policy is set as follows:

Some of the challenges with this was we are authenticating users from two separate forest domains and the forests have a two way trust, So each user has to use their domain\username for it work for each domain. I couldn't get it to work with just username since the ISE server sits in one domain.

If a user is not configured in DUO but tries to authenticate to the anyconnect VPN they can successfully authenticate and connect as long as they exist in the domain and ISE verifies that. I assume this is because the ASA looks to ISE directly so DUO verification is only after the user is verified in the Domain. Not sure though.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Wed, 14 Nov 2018 17:50:17 GMT

That is set to Deny.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Thu, 29 Nov 2018 13:36:29 GMT

Well after much aggravation and working with DUO they have suggested that we redesign this.

Rather then ASA - ISE - DUO Proxy

They suggested ASA - DUO - ISE

We had a lot of timing issues with the original design and many lockouts.

Some issues now is with dACLs and my Anyconnect clients. From what I can gather, due to the fact I inherited this setup, when the ASA sends radius requests to ISE in addition to the radius ports its sents CoA on port 1700 to ISE. Now with DUO servers in the middle and the ASA sending radius requests to DUO and not ISE, dACLs seem to now work.

How is this setup built with something like RSA? There has to be similarities.

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Thu, 29 Nov 2018 14:20:04 GMT

Don’t do ASA->DUO->ISE do

ASA authentication to DUO
ASA authorization to ISE

I you connection profile you can point to ISE for authorization. Now RADIUS doesn’t have a concept of authorization like TACACS so you have to fake you way past the authentication phase. In the policy set for this set the identity store to internal users and set the user not found to continue. That will get past authentication then all you AD lookups will work in authorization and you can apply whatever DACLs you want.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Thu, 29 Nov 2018 14:24:05 GMT

So what should the AAA server group be then if you are going to define DUO in the authentication section and ISE in the authorization profile?

Re: RADIUS Token Failover with Duo Proxy Servers

paul — Thu, 29 Nov 2018 14:59:04 GMT

It is different part of the connection profile. The AAA group would be DUO. Then on the left side (using ASDM) of the connection profile you can open up the other settings and you will see there is an authorization section. Point at ISE there.

Re: RADIUS Token Failover with Duo Proxy Servers

Steven Williams — Thu, 29 Nov 2018 16:46:30 GMT

Ok so create two separate AAA server groups, one with DUO proxy's using the radius port 1812, and the other using ISE servers using also the radius port but with CoA port 1700 on it?

So Anyconnect client connects and is prompted for username and password, user types DomainA/username and then the ASA calls to DUO and then DUO does an AD lookup to the DC using the [ad_client] section. So that is then a go or a no, if a go then the ASA calls to ISE and looks at what?

How would you build your authentication section in ISE policy set?

I think the challenge is still two forest domains. Right now ISE makes the choice to which DC is queried based on radius name consisting of DomainA or DomainB.