topic Re: Cisco ISE - Identity Source Sequence not working with 2 sources in Network Access Control

Cisco ISE - Identity Source Sequence not working with 2 sources

OK22 — Thu, 30 Jun 2022 09:27:58 GMT

Hello everybody,

I have an ISE deployment with 2 nodes, Primary and Secondary (Admin, MnT and PSN), version 2.7.

As we use Cisco ISE for VPN authentication, we have an Identity source sequence composed by 2 sources, Duo MFA and Active Directory. The first one to be checked should be DUO and then the AD. In the Authentication Options, if we set the "If Auth Fail" parameter to reject, it checks only the DUO source, if it finds the user there it's ok, if not it stops looking in other sources in the sequence. If we set the "If Auth Fail" parameter to continue, it checks the DUO source, if it finds the user there it's ok, if it doesn't find users in the DUO group, it authenticates users from AD source but even with wrong passwords. Am I missing something here in the configurations?

PS: The AD source works perfectly fine when not combined with the Duo source (just another AD group of users).

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

Mohammed al Baqari — Thu, 30 Jun 2022 13:57:31 GMT

Hi,

What you described about 'Continue' is expected because continue will cause
ISE to resume even with wrong auth. However, if you set 'If Auth fail' to
'Reject', it should check all sources in the sequence including DUO and AD
before rejecting (top-down attempts).

Have confirmed the auth message passed from DUO.? If the user is found in
DUO with incorrect response it won't attempt AD.

**** please remember to rate useful posts

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

OK22 — Thu, 30 Jun 2022 14:30:04 GMT

Hi,

Yes, normally it should check the second source if the user is not found in the first one. But it doesn't, if the user is not in the DUO group, then the authentication fails without checking the other sources when set to Reject.

Maybe I should check the responses from DUO, if there is something strange as user found with incorrect password, even though the users we tested were surely not present in the DUO group.

I've tested the DUO as the only source too, and it's working fine.

Only when both sources are used, the problems appear.

Thanks for the assistance so far

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

Greg Gibbs — Thu, 30 Jun 2022 22:41:15 GMT

I'm not sure I understand the scenario here. You're using Duo Authentication Proxy (DAP) for ISE to forward the RADIUS requests from the VPN headend to DAP, right? The validated design for this would be to have DAP perform the check against AD itself, then upon success run through the MFA flow and return the success back to ISE. In this case, you would be using a RADIUS Server Sequence instead of an Identity Source Sequence. DAP already uses AD on the backend, so there would be no case for ISE to query AD directly.

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

OK22 — Fri, 01 Jul 2022 06:59:51 GMT

Hi,

The scenario is exactly as you described it, the DAP handles the AD query. DAP is configured as "RADIUS Token Identity Source" in "Identity Management-External Identity Sources" and then included in the previously mentioned sequence as the primary option, prior to the AD itself which is used for normal login without MFA.

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

Mohammed al Baqari — Fri, 01 Jul 2022 11:29:31 GMT

Try this, create two separate rules for DUO authentication with action as
'continue' and another rule for AD authentication with action as 'reject'.
This should do the same trick as identity sequence.

This way if users fail DUO MFA, will go to AD authentication without MFA
which will drop them if it fails authentication.

***** please remember to rate useful posts

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

Charlie Moreton — Fri, 01 Jul 2022 12:22:55 GMT

Read through the link @Greg Gibbs shared above, this will get you going. If setting DUO as an External RADIUS Server, you will not be able to use it in an Identity Source Sequence, this is the first clue that ISE is misconfigured. The link Greg shared is https://duo.com/docs/ciscoise-radius

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

OK22 — Fri, 01 Jul 2022 12:20:59 GMT

Thank you, will try this as well !

Re: Cisco ISE - Identity Source Sequence not working with 2 sources

OK22 — Fri, 01 Jul 2022 12:23:56 GMT

Ok, will go through the DUO documentation once again.

Thank you !