Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1462
Views
0
Helpful
2
Replies

ISE and DUO integration

Go to solution
dngore
Cisco Employee
Cisco Employee

‎03-18-2020 12:49 AM

Hi Team,

We are integrating ISE with DUO for remote access vpn use case. 

 

As per DUO documentation (https://duo.com/docs/ciscoise-radius#change-the-authentication-policy) we need to configure DuoRADIUSSquence for policy in policy set.  But after doing that, we can't see authorization policies for that policy. It just only shows count number. 

 

It is bug? Ideally it should shows authentication and authorization policies for that main policy.

 

I am using ISE 2.6 with patch 5.

 

Kindly correct me if I am doing something wrong.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dngore
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎03-18-2020 11:26 PM

Thx a lot Greg for the link. 

I found the answer for DUO integration with ISE Posture for VPN. 

 

Basically we need to define DUO as external Radius server as mentioned in the DUO document. But we need to enable "On access-accept, proceed to authorization policy" under Advanced option for Radius Server Sequence. This will enable to configure authorization policy.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-18-2020 10:45 PM

The example in that document is using ISE as RADIUS Proxy. When using this option, ISE only sends the request to the upstream RADIUS server (in this case the Duo Auth Proxy) and returns the response from that server to the originating RADIUS client. ISE has no control of the AuthC/AuthZ decisions, which is why there are no underlying AuthC or AuthZ Policies.

This is working as designed.

 

While that document provides good detail on the underlying integration and configuration of the Duo Auth Proxy, there are other options for inserting Duo into the flow. See the following document for another example in which ISE can provide more control.

DUO MFA with Cisco Anyconnect and ISE 

 

Cheers,

Greg

0 Helpful

Go to solution
dngore
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎03-18-2020 11:26 PM

Thx a lot Greg for the link. 

I found the answer for DUO integration with ISE Posture for VPN. 

 

Basically we need to define DUO as external Radius server as mentioned in the DUO document. But we need to enable "On access-accept, proceed to authorization policy" under Advanced option for Radius Server Sequence. This will enable to configure authorization policy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents