09-27-2016 03:51 PM
Do we know if ISE works with Duo's 2 Factory solution. I did see a reference on there site where they stated they support ISE but no integration guides.
01-11-2017 07:08 PM
Has anyone attempted this yet? As Eric stated above, Duo states and their website that it is compatible with ISE but I have yet to find a guide to show all the integration works. I have a customer that is interested in doing this and need to know if anyone out there has configure this yet.
01-12-2017 08:49 AM
I'm looking for the same thing and reached out to support. They 'said' they will open a case and send the documentation guide. I'll update if received.
01-12-2017 09:01 AM
I'm testing right now with a customers ISE 2.0 using Duo and TACACS. I was not involved with the setup of Duo. I am somewhat successful. Here is what I found out so far.
When Duo is setup, there is a configuration file created in the Program files folder (c:\program files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg). This file contains the radius shared secret as well as the IP addresses that were (I'm assuming here) created when Duo was setup. In ISE, you need to add Duo as a RADIUS Token in Administration > Identity Management > External Identity Sources. Use the shared secret found in the authproxy.cfg file to configure the connection to the Duo server when you create a new RADIUS Token Identity Source. In my testing, I've left everything pretty much default with the exception of the server timeout.
So far, I've only tested with TACACS, but it appears to just use RADIUS to communicate back and forth. The test I setup was with a 5505 WLC and it works (sometimes). I am not sure if there is some kind of timeout going on, but it seems like if I get the request from Duo and hit it straight away, it works, but if I wait more than a second or two after I get the Push notification from Duo on my phone, then the Authentication passes, but it never proceeds to Authorization. Could just need some more tweaking on timeout values.
I'll update when I've tested more.
Alex
01-12-2017 10:55 AM
I heard back from DUO support and essentially it looks like they are still requiring the DUO proxy to be installed but ISE is the NAD in this case not the ASA?
ISE Duo Integration Steps
[ad_client]
|
11-30-2017 12:49 PM
I would like to give this a try, did you get this to work and do I need the ad_client?
09-09-2019 01:38 PM - edited 09-09-2019 01:40 PM
we used ISE as a radius server, but with Active Directory as our external ID source. Now I need to "insert" DUO in the mix for 2 factor.
when you set this up, does it still allow you to use the Authorization profiles from ISE to set Radius attributes?
things like:
Access Type = ACCESS_ACCEPT
CVPN3000/ASA/PIX7x-IPSec-Group-Policy = <AD_Group>
Framed-IP
etc?
02-14-2017 02:14 PM
We are also trying to get this working. We want to use local ISE user/groups. We have the Duo proxy added as External Radius Token...
We have the proxy setup and I can get a Duo push but can't get the ISE authentication part working.
Would love to know if anyone else has had it work. We are going to open a ticket with Tac and see if they will be of any help.
12-11-2017 09:02 AM
Did you get this working? I am trying to use DUO as a multi factor for access to network devices. I am having trouble getting ISE and the Auth proxy to communicate properly. I can see info in the log of the authproxy when I test and failures on ISE. Something about either a bad password or wrong key. the key matches everywhere and i know the password is correct. In Duo I get this error "[RadiusClient (UDP)] dropping packet from 10.200.1.30:1812 - response packet has invalid authenticator" Duo says it has to do with my ISE configuration.
04-24-2018 07:38 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide