02-26-2024 08:58 AM
Hello,
I am going to integrate our cisco switches device admin access (TACACS) with Cisco ISE and DUO cloud with the user account located in our on-premises AD. The proposed flow was as follows
Switch --> ISE ---> DUO Auth Proxy -->DUO Cloud
The plan was to use DUO Auth proxy for the ISE-DUO cloud integration but the customer has the below queries.
1. Can we the ISE-DUO cloud integration without DUO Auth Proxy?.
2. Can we use Azure AD instead of on-premises AD?.
3. Can we use SAML for the integration between ISE and DUO Cloud?
Their requested flow is as follows
Switch ---> ISE ----> DUO Cloud (with user account located in Azure AD).
Please advise
Thanks
02-26-2024 01:34 PM
The only validated solutions for this use case leverage Duo Auth Proxy; either the standalone method or the new direct integration in ISE 3.3p1 (technically still a beta feature). Both options require traditional AD (on-prem or in the cloud).
SAML is browser-based, so would not work with CLI-based mechanisms without some sort of broker in the client. ISE Device Admin polices cannot currently be configured to use a SAML IdP.
02-26-2024 01:49 PM
02-26-2024 04:46 PM
1. Correct
2. Entra ID is not the same as Active Directory, so there are limitations on how ISE can interact with Entra ID (mainly being SAML or REST ID). We cannot currently use either of these for TACACS+ (Device Admin) policies. SAML IdP is only supported for use with portal-based authentication flows, and REST ID is used mainly with RADIUS endpoint flows.
02-26-2024 09:09 PM
02-27-2024 01:35 PM
AFAIK, the functionality is the same so it would mainly be a preference thing. For more Duo-specific questions, you might try posting them to the Duo Security community space.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide