topic Re: Anyconnect and ISE with DUO MFA strange issue in Network Access Control

Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Wed, 13 Feb 2019 19:53:01 GMT

I am using the ASA to primary auth against Cisco ISE servers and then secondary authentication to DUO proxy servers using DUO_auth Only.

I am seeing some strange things in the ISE radius logs. I see a successful auth followed by a rejected auth, but I still get one and still have access.

First session says 5200 authentication succeeded.

	24343	RPC Logon request succeeded - stevenwilliams@eftdomain.net
	24402	User authentication against Active Directory succeeded - All_AD_Join_Points
	22037	Authentication Passed
	24423	ISE has not been able to confirm previous successful machine authentication
	15036	Evaluating Authorization Policy

	15004	Matched rule - IT
	15016	Selected Authorization Profile - SSLVPN_IT
	11022	Added the dACL specified in the Authorization Profile
	22081	Max sessions policy passed
	22080	New accounting session created in Session cache
	11002	Returned RADIUS Access-Accept

So that looks good. RADIUS looks good also. Then the second log says RADIUS failed due to incorrect password.

Event	5400 Authentication failed
Failure Reason	24408 User authentication against Active Directory failed since user has entered the wrong password
Resolution	Check the user password credentials. If the RADIUS request is using PAP for authentication, also check the Shared Secret configured for the Network Device
Root cause	User authentication against Active Directory failed since user has entered the wrong password
Username	stevenwilliams

	24323	Identity resolution detected single matching account
	24344	RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,stevenwilliams@eftdomain.net
	24408	User authentication against Active Directory failed since user has entered the wrong password - All_AD_Join_Points
	22057	The advanced option that is configured for a failed authentication request is used
	22061	The 'Reject' advanced option is configured in case of a failed authentication request
	11003	Returned RADIUS Access-Reject

So I do not get it. The only thing I am thinking is this is happening due to incorrect configuration at the authentication policy area. What are these "suppose" to be how are they "suppose" to be configured? When do they need to be modified?

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Thu, 14 Feb 2019 05:53:44 GMT

Hi

Does your authentication goes to ise first?
Have you deployed duo auth proxy?

Personally, i configure asa to send requests to duo proxy and then duo will forward it to ise for auth and authorization.

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Thu, 14 Feb 2019 14:27:34 GMT

ASA auths to ISE first and Duo is secondary Auth. The ASA uses DUO radius to a duo proxy. We cant use duo proxy for both authentication and authorization as the we are using dACLs which uses CoA and the duo proxy will not pass on the CoA to ISE so this is the way it has to be done per Duo and Cisco support.

Re: Anyconnect and ISE with DUO MFA strange issue

Rahul Govindan — Thu, 14 Feb 2019 16:22:38 GMT

Does DUO auth proxy also tie to the backend AD? IF yes, I believe you can set ISE as only your authorization server. What this should do is authenticate against DUO (with AD and push/passcode) and check authorization against ISE. Authorization is what gives you the DACL's, so your CoA/posture should work normally.

So DUO can be set up as this:

https://duo.com/docs/cisco-alt

And then you add ISE as authz server as seen below:

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Thu, 14 Feb 2019 16:28:07 GMT

No, Duo proxy is doing DUO only, no ad_client is used. Proxy looks to duo api only.

Re: Anyconnect and ISE with DUO MFA strange issue

Rahul Govindan — Thu, 14 Feb 2019 17:42:02 GMT

Ok, makes sense. Can you paste the ASA side config for that tunnel-group?

Also, do you have the ASA radius debug output that you can sanitize and share? My thought is that since the username looks to be shared between the primary and secondary auth, the second failure is when the ASA uses the secondary creds (duo) also for authorization, causing a failure on ISE.

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Thu, 14 Feb 2019 22:05:48 GMT

Ok it wasn't mentioned about dACL.
Normally your ASA should reach ISE as radius server.
Then you have on ISE:
- external radius token which will be your duo auth proxy server
- identity source sequence which has DUO radius token only as source identity
- create a policy-set VPN (just assumption here)
- authentication going to identity source sequence previously created
- authorization policy with your authz profile (dACL,...)

On your duo auth proxy, you have radius_server_auto section (which has ISE IP) + you can have radius_client (your ISE IP as well) to validate users credentials.

Or have you configured it another way?
I'm testing FTD (FDM) 6.4 and tested it with success. (not tested dACL right now) but it shouldn't affect as DUO is part of authentication process only and then authorization is between ISE and ASA

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Thu, 14 Feb 2019 22:41:50 GMT

That method is the way we have it now and it causes way too many issues, timing issues, miss pushes, etc, etc. So Duo and Cisco have told us to redesign.

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Thu, 14 Feb 2019 23:01:44 GMT

Ok weird I always deploy that way and never ended with such big issues.
Then you are in the old fashion way with 1st authentication from ASA to ISE and 2nd authentication to Duo right? Or I missed something here.
The 2nd auth is using DUO-LDAP straight to internet or going to local duo-proxy?

Then why the 2nd auth is sent to ISE which triggers a failed. Normally when ISE replies with an access-accept the 1st time, then ASA should request the 2nd auth server (DUO) to validate the passcode or push the popup.

If using proxy, can you share the authproxy cfg file (remove all passwords) + ASA config ?
Can you also please share ISE config (Identity Source Sequence) and the full log of authentication (both: accept and failed)?

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Fri, 15 Feb 2019 00:10:43 GMT

I've done it on my LAB and it works fine. Here my config

It works like a charm!

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 00:00:59 GMT

ASA:

AAA Server Group = ISE Server

-> Secondary Authentication = DUO-RADIUS -> Use Primary Username

;[radius_server_auto]
;ikey=
;skey=
;api_host=
;radius_ip_1=
;radius_secret_1=
;failmode=safe
;client=ad_client
;port=1812

[duo_only_client]

[radius_server_duo_only]
ikey=DI2DTOC8S*****
skey=qrVyCPhvfkczB7****
api_host=api-7****.duosecurity.com
failmode=safe
radius_ip_1=10.53.0.251
radius_secret_1=****an2nv6ehz9P***

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 00:01:32 GMT

Cant see anything here.

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Fri, 15 Feb 2019 00:11:22 GMT

Sorry screenshot are now accessible

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 00:13:18 GMT

Ya I am not doing duo ldap. So the asa talks to the duo proxy and proxy talks to duo cloud api...so not sure what that changes. what does your ISE policy look like?

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Fri, 15 Feb 2019 00:26:21 GMT

Very basic config. Take a look at the pictures.

I changed to use my duo proxy and it works the same way.

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 00:30:04 GMT

Something is wrong then. I am using a identity sequence for all ad joint points. because I have multiple domains. and ISE is seeing what looks like multiple authentication requests...Its strange...Nothing is talking radius to ISE except the ASA.

Re: Anyconnect and ISE with DUO MFA strange issue

Francesco Molino — Fri, 15 Feb 2019 00:33:53 GMT

Then, create an ISQ with only 1 AD for testing and see if it works.

Maybe it’s an issue with your multi-domain ISQ.

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 14:47:31 GMT

whats the debug for this and is it ok to do during the day?

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 14:52:54 GMT

The issue has to be with the ASA and/or ISE. I made the secondary authentication DUO-LDAP which will send the request right out to DUO cloud and I still get one success login and one denied login:

Re: Anyconnect and ISE with DUO MFA strange issue

Steven Williams — Fri, 15 Feb 2019 14:57:44 GMT

Here is the failed authentication output