Solved: ISE as RADIUS proxy, would CoA work?

mabriand · ‎01-16-2019

Hello,

I'm currently investigating ISE and DUO integration with ASA for remote access VPN. One of the options is to have ISE proxy RADIUS requests to the DUO Auth Proxy.

I was wondering if CoA (sent by ISE to ASA) would still be functional in that scenario. I'm ultimately seeking to understand if posture would be possible in that type of setup.

Best Regards,

Martin

paul · ‎01-16-2019

I usually don't use the RADIUS proxy setup. I prefer the RADIUS token server setup when integrating with 2FA vendors. In that scenario I know CoA and posturing works just fine. I would assume it should work with the RADIUS proxy setup.

You can test it easily enough. Get a device connected on VPN with DUO as RADIUS proxy in ISE. Go to the live sessions screen and find the session. Click Reauthentication for CoA actions and see if you see an authentication in the live logs.

View solution in original post

paul · ‎01-16-2019

I usually don't use the RADIUS proxy setup. I prefer the RADIUS token server setup when integrating with 2FA vendors. In that scenario I know CoA and posturing works just fine. I would assume it should work with the RADIUS proxy setup.

You can test it easily enough. Get a device connected on VPN with DUO as RADIUS proxy in ISE. Go to the live sessions screen and find the session. Click Reauthentication for CoA actions and see if you see an authentication in the live logs.

mabriand · ‎01-17-2019

Thanks Paul, spot on.

Not sure why I drifted from Radius Token server to RADIUS proxy instead.

Indeed with usage of DUO Auth Proxy as a RADIUS token server, there's no concern anymore.

I'm still curious about RADIUS proxy and CoA and will test that whenever I get access to a lab setup with ISE and another RADIUS server.

Best Regards,

Martin

Sheraz.Salim · ‎01-17-2019

kindly please do not forget to share your finding with us.

please do not forget to rate.