Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2138
Views
0
Helpful
4
Replies

Cisco ISE and DUO - integration doubts

giovanni.augusto
Level 1
Level 1

‎05-03-2020 03:37 PM

Hi, 

first of all thanks in advance to everyone among the community that will take some of his personal time and answer here.

 

I am testing DUO integration with ISE, my preference would be to use DUO proxy authentication and apply location restrictions for some of our remote access VPNs, everything OK so far from test in lab but the whole setup raised some questions/doubts on how Cisco ISE and DUO offers this setup

 

  1. I ran the authentication proxy on a test VM (windows 7) out of specs and a couple of times I had to restart the authentication proxy service:
    • Is the authentication proxy service reliable in production?
  2. In order to feed the client source IP allowing DUO to enforce a location based policy, is necessary to configure the local DUO authentication proxy as an External RADIUS server, this means that when building up a policy in ISE you can apply the sequence only to a policy set rather than inside a policy set into an authentication policy. This is not trivial as I figured it out but makes for a certain restriction in some of our use cases. For example a Radius Token Server can be configured and applied in an authentication policy so to keep our policies more consistent :
    • Is there a reason for this? or a future ISE enhancement to either integrate natively with DUO or allow External RADIUS server in authentication policies directly?
  3. Is it recommended to have this setup with DUO proxy or is it better off with Anyconnect via SAML?
0 Helpful
4 Replies 4

paul
Level 10
Level 10

‎05-06-2020 04:37 AM

Why are you having DUO do anything other than process the MFA part of the authentication?  Or do you want MFA to act different depending on the location? 

 

You can split up your authentication and authorization functions on the ASAs.  You could send your authentication over to DUO and have it run the MFA process and then send authorization to ISE to have it control policy.  I do this often with my customers.  If I am going to integrate the MFA solution with ISE I usually just use a RADIUS Token definition and don't expect anything back from the MFA provider other than a pass/fail.  All the rest of the rule evaluation is done on the ISE side in the authorization policies.

0 Helpful

giovanni.augusto
Level 1
Level 1
In response to paul

‎05-06-2020 05:13 AM

Hi Paul,

 

You are right and I agree, expectation is to have just accept/reject from DUO to ISE.

 

What I am more concerned is the other way around, that by authenticating users at the ASA with AAA back to ISE via RADIUS you need to send context data to DUO in order to process policies (like location restriction for example), now this can happen only if you configure the DUO authentication proxy as and External RADIUS Server in a sequence and an External Radius Server Sequence can only be applied to a Policy SET not to an authentication entry within a Policy.

 

While this is not impossible to overcome of course it just forces me to create a specific policy set for DUO rather than applying inline with the existing Policy Set I have for Remote Access where I do have another MFA provider I send data through a similar agent as DUO's but is configured as RADIUS Token Server and while I can use it in the authentication policy, in ISE such setup does not send context data (like client originating IP).

 

As a personal note I am seeing Cisco ISE as one of Cisco's best products but there are certain features that are not offered even with additional licensing (like indeed Geolocation awarness, anonymizer proxy awarness, etc) and to do enable them is necessary an external cloud service (like DUO or others) that ALSO offers similar features as Cisco ISE. I believe at some point Cisco should consider offering these options in ISE.

 

I hope this description helps you see my point.

0 Helpful

Abhijith Mepparabath
Level 1
Level 1
In response to giovanni.augusto

‎05-06-2020 05:41 AM

@giovanni.augusto 

Hi 

Its possible to configure Duo authentication proxy as a radius token server in ISE and use it in authentication policy ,I have successfully tested this for PAP_ASCII based radius authentication request.

0 Helpful

giovanni.augusto
Level 1
Level 1
In response to Abhijith Mepparabath

‎05-06-2020 05:52 AM

Thank you,

Have you tried applying a location policy restriction for a geographic area in DUO admin panel?

From my tests there is no AV pair sent to the DUO proxy authenticator from ISE with such information (I even ran a TCPdump in ISE to confirm) and consequently DUO admin panel login attempts shows no requester origin IP data, only device data if used with PUSH
0 Helpful
Customers Also Viewed These Support Documents