05-03-2020 03:37 PM
Hi,
first of all thanks in advance to everyone among the community that will take some of his personal time and answer here.
I am testing DUO integration with ISE, my preference would be to use DUO proxy authentication and apply location restrictions for some of our remote access VPNs, everything OK so far from test in lab but the whole setup raised some questions/doubts on how Cisco ISE and DUO offers this setup
05-06-2020 04:37 AM
Why are you having DUO do anything other than process the MFA part of the authentication? Or do you want MFA to act different depending on the location?
You can split up your authentication and authorization functions on the ASAs. You could send your authentication over to DUO and have it run the MFA process and then send authorization to ISE to have it control policy. I do this often with my customers. If I am going to integrate the MFA solution with ISE I usually just use a RADIUS Token definition and don't expect anything back from the MFA provider other than a pass/fail. All the rest of the rule evaluation is done on the ISE side in the authorization policies.
05-06-2020 05:13 AM
Hi Paul,
You are right and I agree, expectation is to have just accept/reject from DUO to ISE.
What I am more concerned is the other way around, that by authenticating users at the ASA with AAA back to ISE via RADIUS you need to send context data to DUO in order to process policies (like location restriction for example), now this can happen only if you configure the DUO authentication proxy as and External RADIUS Server in a sequence and an External Radius Server Sequence can only be applied to a Policy SET not to an authentication entry within a Policy.
While this is not impossible to overcome of course it just forces me to create a specific policy set for DUO rather than applying inline with the existing Policy Set I have for Remote Access where I do have another MFA provider I send data through a similar agent as DUO's but is configured as RADIUS Token Server and while I can use it in the authentication policy, in ISE such setup does not send context data (like client originating IP).
As a personal note I am seeing Cisco ISE as one of Cisco's best products but there are certain features that are not offered even with additional licensing (like indeed Geolocation awarness, anonymizer proxy awarness, etc) and to do enable them is necessary an external cloud service (like DUO or others) that ALSO offers similar features as Cisco ISE. I believe at some point Cisco should consider offering these options in ISE.
I hope this description helps you see my point.
05-06-2020 05:41 AM
Hi
Its possible to configure Duo authentication proxy as a radius token server in ISE and use it in authentication policy ,I have successfully tested this for PAP_ASCII based radius authentication request.
05-06-2020 05:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide