cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1036
Views
15
Helpful
5
Replies

Integration of ISE with DUO for MFA of routers

asw_25
Level 1
Level 1

Hi all,

We have ISE integrated to all our NEs with only device administration(TACACS+) and VM license purchased. We wish to integrate ISE with DUO for MFA for internal users. Is it possible to integrate ISE with Duo without any tier license since DUO and ISE communicate via radius?  

2 Accepted Solutions

Accepted Solutions

I haven’t run into this situation, so I will let community weigh in on that, but if I have to guess I don’t think you will need any additional license on ISE side, even tho ISE is sending access request to duo auth proxy over radius, it’s not same as an active session so there should not be any radius related license consumption. It’s just acting as another identity source. 

-hope this helps-

View solution in original post

Yes, you can use it for any 100 users.

-hope this helps-

View solution in original post

5 Replies 5

ammahend
VIP
VIP

You will still need DUO license, licensing is per users, so I don’t think it will be a huge price tag, if you have limited number of IT staff managing network devices. 
also ise only communicated with duo proxy forwarding access request, duo proxy works with duo cloud for MFA over https.
more details here : https://community.cisco.com/t5/security-knowledge-base/duo-mfa-integration-with-ise-for-tacacs-device-administration/ta-p/3881767

-hope this helps-

Thank you for your reply!

Duo license we are purchasing. But my doubt is, with existing ISE license(only TACACS+) , whether we will be able to integarte with duo once duo license is purachsed. What are the pre requisite from ISE side?

I haven’t run into this situation, so I will let community weigh in on that, but if I have to guess I don’t think you will need any additional license on ISE side, even tho ISE is sending access request to duo auth proxy over radius, it’s not same as an active session so there should not be any radius related license consumption. It’s just acting as another identity source. 

-hope this helps-

OK. Thank you. And when configuring duo for ISE internal users, we can do it for selective users.. right? I mean we are planning to purchase only 100 DUO licenses and we have around 390 internal users. We can configure MFA for selected 100 users.. right?

Yes, you can use it for any 100 users.

-hope this helps-