Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1034
Views
15
Helpful
5
Replies

Integration of ISE with DUO for MFA of routers

Go to solution
asw_25
Level 1
Level 1

‎09-06-2022 11:39 PM

Hi all,

We have ISE integrated to all our NEs with only device administration(TACACS+) and VM license purchased. We wish to integrate ISE with DUO for MFA for internal users. Is it possible to integrate ISE with Duo without any tier license since DUO and ISE communicate via radius?  

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ammahend
VIP
VIP
In response to asw_25

‎09-07-2022 01:16 AM - edited ‎09-07-2022 01:27 AM

I haven’t run into this situation, so I will let community weigh in on that, but if I have to guess I don’t think you will need any additional license on ISE side, even tho ISE is sending access request to duo auth proxy over radius, it’s not same as an active session so there should not be any radius related license consumption. It’s just acting as another identity source. 

-hope this helps-

View solution in original post

Go to solution
ammahend
VIP
VIP
In response to asw_25

‎09-07-2022 06:55 AM

Yes, you can use it for any 100 users.

-hope this helps-

View solution in original post

5 Replies 5

Go to solution
ammahend
VIP
VIP

‎09-07-2022 12:06 AM - edited ‎09-07-2022 12:51 AM

You will still need DUO license, licensing is per users, so I don’t think it will be a huge price tag, if you have limited number of IT staff managing network devices. 
also ise only communicated with duo proxy forwarding access request, duo proxy works with duo cloud for MFA over https.
more details here : https://community.cisco.com/t5/security-knowledge-base/duo-mfa-integration-with-ise-for-tacacs-device-administration/ta-p/3881767

-hope this helps-

Go to solution
asw_25
Level 1
Level 1
In response to ammahend

‎09-07-2022 12:11 AM

Thank you for your reply!

Duo license we are purchasing. But my doubt is, with existing ISE license(only TACACS+) , whether we will be able to integarte with duo once duo license is purachsed. What are the pre requisite from ISE side?

0 Helpful

Go to solution
ammahend
VIP
VIP
In response to asw_25

‎09-07-2022 01:16 AM - edited ‎09-07-2022 01:27 AM

I haven’t run into this situation, so I will let community weigh in on that, but if I have to guess I don’t think you will need any additional license on ISE side, even tho ISE is sending access request to duo auth proxy over radius, it’s not same as an active session so there should not be any radius related license consumption. It’s just acting as another identity source. 

-hope this helps-

Go to solution
asw_25
Level 1
Level 1
In response to ammahend

‎09-07-2022 04:58 AM

OK. Thank you. And when configuring duo for ISE internal users, we can do it for selective users.. right? I mean we are planning to purchase only 100 DUO licenses and we have around 390 internal users. We can configure MFA for selected 100 users.. right?

0 Helpful

Go to solution
ammahend
VIP
VIP
In response to asw_25

‎09-07-2022 06:55 AM

Yes, you can use it for any 100 users.

-hope this helps-
Customers Also Viewed These Support Documents