Re: Duo MFA with Cisco ISE and FTD RAVPN

Ibrahim-Sharif · ‎12-10-2023

Dear all,

Hope you are doing well.

I have Cisco FTD configured with remote access VPN and Cisco ISE for AAA services using the local user database on the ISE itself, and now I intend to add the 2FA using Cisco Duo.

After completing the configuration on the Cisco ISE and preparing the Cisco Duo Auth proxy, I'm facing an issue with the primary authentication "ISE username & password":

Error performing primary authentication: RADIUS auth request timed out

Allow concat is configured, but is not supported with MS-CHAPv2 authentications. Did you try to concatenate your second factor to your password?

Returning response code 3: AccessReject
(('10.171.22.110', 22043), user1@local, 17): Sending response
dropping packet from 10.171.22.110:1812 - unrecognized ID in response packet: 9

In the attached screenshot you can see the traffic flow and topology, as well as the Cisco Auth proxy configuration file.

I would appreciate your input in addressing this issue.

Thank you,

Ibrahim

MHM Cisco World · ‎12-11-2023

I need to see

Radius server config

Connection profiles/AAA

Take screenshots for this and share here let me check it

MHM

Ibrahim-Sharif · ‎12-11-2023

Hello @MHM Cisco World

Thank you for your reply, I have attached a screenshot for all required points, so what I'm doing is when the request comes to the FTD it's configured with AAA server (ISE nodes), and the ISE is configured with External radius server (Duo Auth Proxy) which will send the first authentication (Username and Password) to the ISE.

Also, I can see this error message, so do you think if we enable the MS-CHAPv2 on the Cisco Duo it will work?

allow concat is configured but is not supported with ms-chapv2 authentications. Did you try to concatenate your second factor to your password?

Knowing that this setup is working fine with Active Directory as an external identity for authentication.

Thank you,

Ibrahim