topic Re: Duo Security with Cisco ISE in Network Access Control

Duo Security with Cisco ISE

PQR — Mon, 09 Mar 2020 12:35:38 GMT

Hola, ¿es posible habilitar PAP con comunicación con Duo Prsoxy y Ciso ISE?

En la documentación de Duo sobre Fortinet y Palo Alto, es posible activar la opción para especificar el tipo de protocolo que se utilizará para comunicarse con el proxy duo y el NAC, pero en Cisco Ise no encuentro esa opción.

Adjunto mi proxy settings.cfg
registros de Cisco Duo

La configuración que tengo en ISE es:
Usuario local creado especificando que es un usuario Duo.

Re: Duo Security with Cisco ISE

Francesco Molino — Sun, 08 Mar 2020 05:05:05 GMT

Hi

First of all, you've attached a screenshot of your real config of your duo proxy which includes your keys. Remove the screenshot and reattach it by hiding these keys.

Why on ISE are you creating a network access user?
PAP is available on authentication protocol. Normally ISE receives an authentication request and forward it to your DUO using the protocol. Is this what you want to do?

Re: Duo Security with Cisco ISE

PQR — Mon, 09 Mar 2020 14:05:16 GMT

PAP is available on authentication protocol. Normally ISE receives an authentication request and forward it to your DUO using the protocol. Is this what you want to do?

Answer: Yes, I want to do that, but acordly the logs, I need PAP authentication between ISE and Duo proxy and I can’t find the option for set PAP authentication because I set up radios external(duo)

this is the Web page that i follow:

https://duo.com/docs/ciscoise-radius

I need 802.1x authentication

Re: Duo Security with Cisco ISE

Francesco Molino — Tue, 10 Mar 2020 02:24:15 GMT

The doc you're looking at is specially for vpn where authentication will be in pap by default.

For 802.1x, you'll need to use saml and so have duo as gateway but not the way you're implementing it.
As far as i know, duo proxy doesn't support mschapv2.

Re: Duo Security with Cisco ISE

PQR — Fri, 13 Mar 2020 19:47:46 GMT

Hi, Do you have a guide configuration with that?

I’ve attached the guide configuration that I follow, but in that guide I don’t see the policy section that I need to configured because when I login in the ssid with DUOAG, i can’t do ping to the DAG portal, only can do ping to ISE IP, but when I Access to the dag portal since the wired network, I have Access. I think is a ise policy config

The ISE, AD,DNS,DUOAG are in the same network

Re: Duo Security with Cisco ISE

Francesco Molino — Fri, 13 Mar 2020 21:06:29 GMT

For Duo Gateway, here is the doc: https://duo.com/docs/dng

Re: Duo Security with Cisco ISE

PQR — Fri, 13 Mar 2020 22:54:25 GMT

That was the error message that show me after I permit by a push the duo 2fa

Re: Duo Security with Cisco ISE

Francesco Molino — Sun, 15 Mar 2020 01:07:32 GMT

Have you followed the link below: https://community.cisco.com/t5/security-documents/network-access-and-segmentation-with-duo-mfa-and-ise/ta-p/3752831

When are you getting the error you sent on the guest portal?

Re: Duo Security with Cisco ISE

kaiyrkhan1 — Thu, 07 Oct 2021 10:05:51 GMT

Hi,

I am facing the same problem with duo proxy.

Can you tell me please, were you able to resolve it without using DAG?