Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3674
Views
10
Helpful
3
Replies

AnyConnect VPN on ASA with DUO MFA and ISE Posture Validation and AD/ISE internal users

Go to solution
jumperdub
Beginner
Beginner

‎02-03-2021 07:39 AM

My goal is to enable Anyconnect SSL VPN on ASA with Duo MFA and also posture check on Cisco ISE. Also the user account  is located at AD server and ISE internal.

 

But I'm not sure if the Duo authentication proxy is able to do account lookup on both AD server and Cisco ISE as authentication sequence or not?

 

 

duo.JPG

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jumperdub

‎02-04-2021 09:48 PM

AFAIK, the 2nd client section is served as fallback after the configured timeout for the primary.

I think you should try radius_client only but like this:

1) Configure ISE with both internal users and a connection to AD and have an ID source sequence to include both types of ID sources.

2) Configure ISE with Duo auth proxy as a network device, besides as a RADIUS token server

3) Configure ISE with a RADIUS policy set for the Duo auth proxy as the network device and use the ID source sequence in (1) as the auth source.

4) Configure Duo auth proxy to use ISE in the radius_client section.

View solution in original post

3 Replies 3

Go to solution
Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

‎02-03-2021 01:59 PM

Hi @jumperdub ,

  if my understanding is correct ... if you have a DUO - Identity Source Sequences, with an Authentication Search List of:

1st DUO 

2nd Internal Users

 and an Advanced Search List Settings:
Treat as if the user was not found and proceed to the next store in the sequence

You can use this DUO - Identity Source Sequences on the Authentication Policy of your Policy Set.

 In other words ...

1. ISE sends authentication request to the DUO Authentication Proxy (via the 1st Search List of the Identity Source Sequences)

2. If DUO is UP

 DUO - Primary Authentication using AD or RADIUS
3. If DUO is DOWN

 Internal Users is used

4. After a successful Authentication (via DUO or Internal Users), you can configure Posture on your Authorization Policy !!!

 

Hope this helps !!!

0 Helpful

Go to solution
jumperdub
Beginner
Beginner
In response to Marcelo Morais

‎02-03-2021 05:39 PM

Hi @Marcelo Morais ,

 

Is it possible for Internal Users on ISE can do MFA as well?  I want user on AD and ISE local need to do MFA.

 

Can I have ad_client and radius_client configured in Duo authentication proxy?

 

 

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jumperdub

‎02-04-2021 09:48 PM

AFAIK, the 2nd client section is served as fallback after the configured timeout for the primary.

I think you should try radius_client only but like this:

1) Configure ISE with both internal users and a connection to AD and have an ID source sequence to include both types of ID sources.

2) Configure ISE with Duo auth proxy as a network device, besides as a RADIUS token server

3) Configure ISE with a RADIUS policy set for the Duo auth proxy as the network device and use the ID source sequence in (1) as the auth source.

4) Configure Duo auth proxy to use ISE in the radius_client section.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents