Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
1
Replies

Delete and restore users manually created in DUO

a.maldonado
Level 1
Level 1

‎11-01-2024 11:54 PM

Hi! 

I have a DUO production account to which the users were added manually to work with ISE and a DUO proxy. This setup worked and is still working fine.

Now, I upgraded ISE to the version that has DUO integrated so I can remove the proxy from the process. Unfortunately, the process fails at the last stage when I sync the security groups configured in ISE (previously imported from AD) to DUO. The Identity Sync returns a FAIL with No Data Found. 

My suspicion is that because the users are already in the DUO account and were created manually, there must be some kind of conflict when ISE is trying to sync the groups with DUO. My question is, Is there a way to clear the users created in the DUO production account and if required put them all back again without having to cerate one by one again.

I opened a free DUO account and the process of setting up ISE with integrated DUO works fine and straightaway. It just does not want to do it with my production account. By the way, I remove from ISE, the configuration that works with the Proxy to avoid conflicts and from the Proxy the keys used for DUO. So to leave the proxy completely isolated but still the Identity Sync fails.

I will appreciate any help provided.

 

 

 

0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-04-2024 06:24 AM

The ISE team created this integration using our publicly-documented Duo Admin API and Auth API, and didn't provide us that much detail about the ISE operations using those APIs. My understanding is that their "sync" is just making GETs and POSTs to the Duo Admin API /admin/v1/users and /admin/v1/bulk endpoints. If your users were manually created in Duo prior to adding the ISE sync and have the same username values as in the directory you are syncing via ISE, there should be no issue with ISE updating the users via the API.

Is it possible your Duo users weren't created "manually" as in "click add user, type in username, save", but were created in Duo via AD Sync (through the Duo Authentication Proxy)? Admin API is unable to update groups or modify some user attribute values if they are still managed by a Duo AD sync. If you still have an AD Sync hanging out in your prod Duo account managing the users and groups that might be the issue. If you view a user in the Duo Admin Panel does it say it's managed by a sync? You need to delete the sync first, which reverts the sync-managed users and groups to unmanaged.

If you're still stuck you should open a case with TAC to route to ISE support, as they, and not Duo teams, are the SMEs for what their ISE sync operation is actually doing.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents