My goal is to enable Anyconnect SSL VPN on ASA with Duo MFA and also posture check on Cisco ISE. Also the user account is located at AD server and ISE internal.
But I'm not sure if the Duo authentication proxy is able to do account lookup on both AD server and Cisco ISE as authentication sequence or not?
Go to Solution.
AFAIK, the 2nd client section is served as fallback after the configured timeout for the primary.
I think you should try radius_client only but like this:
1) Configure ISE with both internal users and a connection to AD and have an ID source sequence to include both types of ID sources.
2) Configure ISE with Duo auth proxy as a network device, besides as a RADIUS token server
3) Configure ISE with a RADIUS policy set for the Duo auth proxy as the network device and use the ID source sequence in (1) as the auth source.
4) Configure Duo auth proxy to use ISE in the radius_client section.
View solution in original post
Hi @jumperdub ,
if my understanding is correct ... if you have a DUO - Identity Source Sequences, with an Authentication Search List of:
2nd Internal Users
and an Advanced Search List Settings:Treat as if the user was not found and proceed to the next store in the sequence
You can use this DUO - Identity Source Sequences on the Authentication Policy of your Policy Set.
In other words ...
1. ISE sends authentication request to the DUO Authentication Proxy (via the 1st Search List of the Identity Source Sequences)
2. If DUO is UP
DUO - Primary Authentication using AD or RADIUS3. If DUO is DOWN
Internal Users is used
4. After a successful Authentication (via DUO or Internal Users), you can configure Posture on your Authorization Policy !!!
Hope this helps !!!
Hi @Marcelo Morais ,
Is it possible for Internal Users on ISE can do MFA as well? I want user on AD and ISE local need to do MFA.
Can I have ad_client and radius_client configured in Duo authentication proxy?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: