Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2130
Views
10
Helpful
8
Replies

Cisco ISE - Identity Source Sequence not working with 2 sources

Go to solution
OK22
Level 1
Level 1

‎06-30-2022 02:26 AM - edited ‎06-30-2022 02:27 AM

Hello everybody,

 

I have an ISE deployment with 2 nodes, Primary and Secondary (Admin, MnT and PSN), version 2.7.

As we use Cisco ISE for VPN authentication, we have an Identity source sequence composed by 2 sources, Duo MFA and Active Directory. The first one to be checked should be DUO and then the AD. In the Authentication Options, if we set the "If Auth Fail" parameter to reject, it checks only the DUO source, if it finds the user there it's ok, if not it stops looking in other sources in the sequence. If we set the "If Auth Fail" parameter to continue, it checks the DUO source, if it finds the user there it's ok, if it doesn't find users in the DUO group, it authenticates users from AD source but even with wrong passwords. Am I missing something here in the configurations?

PS: The AD source works perfectly fine when not combined with the Duo source (just another AD group of users).

 

ISE 1.JPGISE 2.JPG

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to OK22

‎07-01-2022 05:17 AM - edited ‎07-01-2022 05:22 AM

Read through the link @Greg Gibbs  shared above, this will get you going.  If setting DUO as an External RADIUS Server, you will not be able to use it in an Identity Source Sequence, this is the first clue that ISE is misconfigured.  The link Greg shared is https://duo.com/docs/ciscoise-radius

View solution in original post

Go to solution
OK22
Level 1
Level 1
In response to Charlie Moreton

‎07-01-2022 05:23 AM

Ok, will go through the DUO documentation once again.

Thank you !

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-30-2022 06:57 AM

Hi,

What you described about 'Continue' is expected because continue will cause
ISE to resume even with wrong auth. However, if you set 'If Auth fail' to
'Reject', it should check all sources in the sequence including DUO and AD
before rejecting (top-down attempts).

Have confirmed the auth message passed from DUO.? If the user is found in
DUO with incorrect response it won't attempt AD.

**** please remember to rate useful posts
0 Helpful

Go to solution
OK22
Level 1
Level 1
In response to Mohammed al Baqari

‎06-30-2022 07:24 AM - edited ‎06-30-2022 07:30 AM

Hi,

 

Yes, normally it should check the second source if the user is not found in the first one. But it doesn't, if the user is not in the DUO group, then the authentication fails without checking the other sources when set to Reject.

Maybe I should check the responses from DUO, if there is something strange as user found with incorrect password, even though the users we tested were surely not present in the DUO group.

I've tested the DUO as the only source too, and it's working fine.

Only when both sources are used, the problems appear.

 

Thanks for the assistance so far

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to OK22

‎06-30-2022 03:41 PM

I'm not sure I understand the scenario here. You're using Duo Authentication Proxy (DAP) for ISE to forward the RADIUS requests from the VPN headend to DAP, right? The validated design for this would be to have DAP perform the check against AD itself, then upon success run through the MFA flow and return the success back to ISE. In this case, you would be using a RADIUS Server Sequence instead of an Identity Source Sequence. DAP already uses AD on the backend, so there would be no case for ISE to query AD directly.

 

Go to solution
OK22
Level 1
Level 1
In response to Greg Gibbs

‎06-30-2022 11:59 PM

Hi,

 

The scenario is exactly as you described it, the DAP handles the AD query. DAP is configured as "RADIUS Token Identity Source" in "Identity Management-External Identity Sources" and then included in the previously mentioned sequence as the primary option, prior to the AD itself which is used for normal login without MFA. 

 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to OK22

‎07-01-2022 04:29 AM

Try this, create two separate rules for DUO authentication with action as
'continue' and another rule for AD authentication with action as 'reject'.
This should do the same trick as identity sequence.

This way if users fail DUO MFA, will go to AD authentication without MFA
which will drop them if it fails authentication.

***** please remember to rate useful posts
0 Helpful

Go to solution
OK22
Level 1
Level 1
In response to Mohammed al Baqari

‎07-01-2022 05:20 AM

Thank you, will try this as well !

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to OK22

‎07-01-2022 05:17 AM - edited ‎07-01-2022 05:22 AM

Read through the link @Greg Gibbs  shared above, this will get you going.  If setting DUO as an External RADIUS Server, you will not be able to use it in an Identity Source Sequence, this is the first clue that ISE is misconfigured.  The link Greg shared is https://duo.com/docs/ciscoise-radius

Go to solution
OK22
Level 1
Level 1
In response to Charlie Moreton

‎07-01-2022 05:23 AM

Ok, will go through the DUO documentation once again.

Thank you !

0 Helpful
Customers Also Viewed These Support Documents