topic Re: ISE 2.1 with Duo 2 Factory in Network Access Control

ISE 2.1 with Duo 2 Factory

Eric Zuvic — Tue, 27 Sep 2016 22:51:44 GMT

Do we know if ISE works with Duo's 2 Factory solution. I did see a reference on there site where they stated they support ISE but no integration guides.

Re: ISE 2.1 with Duo 2 Factory

Alex Martin — Thu, 12 Jan 2017 03:08:00 GMT

Has anyone attempted this yet? As Eric stated above, Duo states and their website that it is compatible with ISE but I have yet to find a guide to show all the integration works. I have a customer that is interested in doing this and need to know if anyone out there has configure this yet.

Re: ISE 2.1 with Duo 2 Factory

Jacob Gibb — Thu, 12 Jan 2017 16:49:44 GMT

I'm looking for the same thing and reached out to support. They 'said' they will open a case and send the documentation guide. I'll update if received.

Re: ISE 2.1 with Duo 2 Factory

Alex Martin — Thu, 12 Jan 2017 17:01:18 GMT

I'm testing right now with a customers ISE 2.0 using Duo and TACACS. I was not involved with the setup of Duo. I am somewhat successful. Here is what I found out so far.

When Duo is setup, there is a configuration file created in the Program files folder (c:\program files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg). This file contains the radius shared secret as well as the IP addresses that were (I'm assuming here) created when Duo was setup. In ISE, you need to add Duo as a RADIUS Token in Administration > Identity Management > External Identity Sources. Use the shared secret found in the authproxy.cfg file to configure the connection to the Duo server when you create a new RADIUS Token Identity Source. In my testing, I've left everything pretty much default with the exception of the server timeout.

So far, I've only tested with TACACS, but it appears to just use RADIUS to communicate back and forth. The test I setup was with a 5505 WLC and it works (sometimes). I am not sure if there is some kind of timeout going on, but it seems like if I get the request from Duo and hit it straight away, it works, but if I wait more than a second or two after I get the Push notification from Duo on my phone, then the Authentication passes, but it never proceeds to Authorization. Could just need some more tweaking on timeout values.

I'll update when I've tested more.

Alex

Re: ISE 2.1 with Duo 2 Factory

Jacob Gibb — Thu, 12 Jan 2017 18:55:48 GMT

I heard back from DUO support and essentially it looks like they are still requiring the DUO proxy to be installed but ISE is the NAD in this case not the ASA?

ISE Duo Integration Steps

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate RADIUS in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. See Getting Started for help.
4. Install the Duo Authentication Proxy.
5. Configure the Proxy:

[ad_client]
host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=cn=Users,dc=example,dc=com

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
radius_ip_1=<IP Address of the ISE>
radius_secret_1=thisisalsoaradiussecret
client=ad_client
port=1812
failmode=safe

6. Start the AuthProxy: net start DuoAuthProxy
7. Login to Cisco ISE.
8. Go to Administrators > External Identity Sources > RADIUS Token and select Add.
9. Select Connection and then enter in IP Address of the AuthProxy Server, and Shared Secret of the AuthProxy server. Change the server timeout to 60 seconds and select Save.
10. Now change your Authentication Policy to use the External Identity Source you created for Duo. This is done under Policy > Authentication.

ISE Troubleshooting

In the web interface, choose Operations > RADIUS LiveLog. This will show you all the RADIUS Authentications for the past 24 hours. Clicking on the magnifying glass will take you to the authentication details for a request you are troubleshooting.

Re: ISE 2.1 with Duo 2 Factory

BrianEschen — Tue, 14 Feb 2017 22:14:36 GMT

We are also trying to get this working. We want to use local ISE user/groups. We have the Duo proxy added as External Radius Token...

We have the proxy setup and I can get a Duo push but can't get the ISE authentication part working.

Would love to know if anyone else has had it work. We are going to open a ticket with Tac and see if they will be of any help.

Re: ISE 2.1 with Duo 2 Factory

Richard Lucht — Thu, 30 Nov 2017 20:49:26 GMT

I would like to give this a try, did you get this to work and do I need the ad_client?

Re: ISE 2.1 with Duo 2 Factory

Richard Lucht — Mon, 11 Dec 2017 17:02:22 GMT

Did you get this working? I am trying to use DUO as a multi factor for access to network devices. I am having trouble getting ISE and the Auth proxy to communicate properly. I can see info in the log of the authproxy when I test and failures on ISE. Something about either a bad password or wrong key. the key matches everywhere and i know the password is correct. In Duo I get this error "[RadiusClient (UDP)] dropping packet from 10.200.1.30:1812 - response packet has invalid authenticator" Duo says it has to do with my ISE configuration.

Re: ISE 2.1 with Duo 2 Factory

hslai — Wed, 25 Apr 2018 02:38:04 GMT

See Using DUO with ISE 2.3 and ACS 5.X for 2FA Cisco Network Admin Access

Re: ISE 2.1 with Duo 2 Factory

don.click1 — Mon, 09 Sep 2019 20:40:04 GMT

we used ISE as a radius server, but with Active Directory as our external ID source. Now I need to "insert" DUO in the mix for 2 factor.

when you set this up, does it still allow you to use the Authorization profiles from ISE to set Radius attributes?

things like:

Access Type = ACCESS_ACCEPT
CVPN3000/ASA/PIX7x-IPSec-Group-Policy = <AD_Group>

Framed-IP

etc?