cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
710
Views
0
Helpful
3
Replies

VPN certificate authenication with ISE and Duo MFA login issues

Hi all,

I am currently in the process of implementing ASA VPN certificate authentication with Cisco ISE and DUO MFA. However, I have encountered an issue where DUO seems unable to handle authentication without a password.
As we are using certificate authentication to identify the user instead of the traditional username and password method, DUO is unable to resolve the AD username via the DUO proxy. This results in the Cisco ISE logs showing an "INVALID username" error.
After reviewing the configuration and troubleshooting steps, it appears that DUO can not handle certificate-based RADIUS authentication. I would greatly appreciate any guidance or assistance on how to configure DUO to support this authentication method.

ISE logs

chocolate2395777_1-1710737258603.png

chocolate2395777_2-1710737289640.png

Duo Logs

chocolate2395777_0-1710737778890.png

Yellow = username
Red= ISE-IP
The firewall(FTD) is managed by FMC, and I was able to connect to the VPN without ISE using certificate authentication.

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee
3 Replies 3

Pulkit Mittal
Spotlight
Spotlight

Hi There,

Compare the username value, as in what is ise expecting, and what is being sent from duo to authenticate. Make sure you are normalizing username in duo application. If above is true, then we may need to look at alias configuration.

Which Duo applications have username normalization enabled by default?

Duo Username Aliases Configuration Guide

Regards,

Pulkit M.

If you find this useful, please mark it helpful and accept the solution.

DuoKristina
Cisco Employee
Cisco Employee

 

thankssssssss for your help.
just put [duo_only_client] in the proxy.cgf file and create new RADIUS server in ISE pointing to the proxy. 

 

Quick Links