https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4548149#M572659 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97757">@mletchworth</a>,</P> <P>As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a> wrote, such flow is not possible. ISE can either process authentication on its own, or it can pass it forward to someone else, but can still proceed with authorization.</P> <P>How I did implementations with Duo is to install Duo Authentication Proxy, to integrate it with AD/LDAP and Duo cloud, and then to integrate ISE with Duo Proxy via RADIUS protocol. Guide that Greg shared is by using External RADIUS servers. I also used integration with ISE as RADIUS Token server.</P> <P>BR,</P> <P>Milos</P> Wed, 09 Feb 2022 07:15:38 GMT Milos_Jovanovic 2022-02-09T07:15:38Z https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4547156#M572636 <P>Is it possible to require authorization against two external identity sources? Identity source sequence seems to only require passing one or the other external identity source, but want to require both. I would like to use LDAP to valid the user (verify password and group membership "this has been working fine") then after that is validated, send the username and password to our DUO radius proxy for MFA (Duo-Client-Only) processing.</P><P>&nbsp;</P><P>We use ISE to authorize remote VPN users on our ASA. We now have a requirement to add MFA push at login.</P> Tue, 08 Feb 2022 06:47:37 GMT https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4547156#M572636 mletchworth 2022-02-08T06:47:37Z https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4547867#M572657 <P>That type of authentication flow is not possible. The way to implement Duo MFA with ISE is using the Duo Authentication Proxy and having it do the lookup against LDAP as documented in <A href="https://duo.com/docs/ciscoise-radius" target="_blank" rel="noopener">this Duo guide</A>.</P> Tue, 08 Feb 2022 21:29:02 GMT https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4547867#M572657 Greg Gibbs 2022-02-08T21:29:02Z https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4548149#M572659 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97757">@mletchworth</a>,</P> <P>As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a> wrote, such flow is not possible. ISE can either process authentication on its own, or it can pass it forward to someone else, but can still proceed with authorization.</P> <P>How I did implementations with Duo is to install Duo Authentication Proxy, to integrate it with AD/LDAP and Duo cloud, and then to integrate ISE with Duo Proxy via RADIUS protocol. Guide that Greg shared is by using External RADIUS servers. I also used integration with ISE as RADIUS Token server.</P> <P>BR,</P> <P>Milos</P> Wed, 09 Feb 2022 07:15:38 GMT https://community.cisco.com/t5/network-access-control/multiple-identity-sources-for-authorization/m-p/4548149#M572659 Milos_Jovanovic 2022-02-09T07:15:38Z