cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3326
Views
5
Helpful
8
Replies

Duo Security with Cisco ISE

PQR
Level 1
Level 1

Hola, ¿es posible habilitar PAP con comunicación con Duo Prsoxy y Ciso ISE?

 

En la documentación de Duo sobre Fortinet y Palo Alto, es posible activar la opción para especificar el tipo de protocolo que se utilizará para comunicarse con el proxy duo y el NAC, pero en Cisco Ise no encuentro esa opción.

Adjunto mi proxy settings.cfg
registros de Cisco Duo

La configuración que tengo en ISE es:
Usuario local creado especificando que es un usuario Duo.

duo.png

0893BB99-6575-488F-9CC7-9D97C783D914.jpeg

 

logduo.png

8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni
Hi

First of all, you've attached a screenshot of your real config of your duo proxy which includes your keys. Remove the screenshot and reattach it by hiding these keys.

Why on ISE are you creating a network access user?
PAP is available on authentication protocol. Normally ISE receives an authentication request and forward it to your DUO using the protocol. Is this what you want to do?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

PAP is available on authentication protocol. Normally ISE receives an authentication request and forward it to your DUO using the protocol. Is this what you want to do?

 

Answer: Yes, I want to do that, but acordly the logs, I need PAP authentication between ISE and Duo proxy and I can’t find the option for set PAP authentication because I set up radios external(duo)

 

this is the Web page that i follow:

https://duo.com/docs/ciscoise-radius

I need 802.1x authentication

The doc you're looking at is specially for vpn where authentication will be in pap by default.

For 802.1x, you'll need to use saml and so have duo as gateway but not the way you're implementing it.
As far as i know, duo proxy doesn't support mschapv2.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, Do you have a guide configuration with that?

I’ve attached the guide configuration that I follow, but in that guide I don’t see the policy section that I need to configured because when I login in the ssid with DUOAG, i can’t do ping to the DAG portal, only can do ping to ISE IP, but when I Access to the dag portal since the wired network, I have Access. I think is a ise policy config

The ISE, AD,DNS,DUOAG are in the same network

For Duo Gateway, here is the doc: https://duo.com/docs/dng

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

duo issue.png

 

That was the error message that show me after I permit by a push the duo 2fa

Have you followed the link below: https://community.cisco.com/t5/security-documents/network-access-and-segmentation-with-duo-mfa-and-ise/ta-p/3752831

When are you getting the error you sent on the guest portal?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

 

I am facing the same problem with duo proxy.

Can you tell me please, were you able to resolve it without using DAG?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: