Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2291
Views
0
Helpful
2
Replies

ISE fallback to second ID store when first ID store is not reachable

Go to solution
Madura Malwatte
Level 4
Level 4

‎08-12-2020 07:41 AM - edited ‎08-12-2020 07:43 AM

Hi All,

I am trying to solve the following problem:

We have MFA for our VPN using Okta with ISE. Okta is configured as a RADIUS Token server on ISE and is working fine. In the event we have the Okta servers not reachable for any reason, we want to be able to fallback to a secondary identity store (Active Directory with no MFA), so users are not locked out of the VPN and have another method to authenticate. So basically, when Okta servers are not reachable, I want ISE to then check the 2nd ID store in the list which would be AD. Is my understanding correct and is the configuration I am proposing going to work?

RADIUS token config:

Screen Shot 2020-08-13 at 12.12.50 am.jpg

For ID source sequence, I have first on the list the RADIUS token server (Okta), then AD. And have selected treat as if user not found and proceed to next store.

Screen Shot 2020-08-13 at 12.21.41 am.jpg

The the authentication policy would have this ISS.

Screen Shot 2020-08-13 at 12.22.16 am.jpg

 

When the RADIUS token (Okta) servers are not reachable, this is what ISE would report. So would the above proposed config then revert to using the AD for auth?

Screen Shot 2020-08-12 at 10.30.28 am.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-12-2020 08:14 AM

Your understanding is correct; however, it would be good to test to be sure.  When the option of "User not found" is used, ISE will move on to the next identity store.  This is not what you want since users would then be able to bypass MFA.  But with the "authentication failed" option, ISE should stop processing the identity store sequence and reject the request.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-12-2020 08:14 AM

Your understanding is correct; however, it would be good to test to be sure.  When the option of "User not found" is used, ISE will move on to the next identity store.  This is not what you want since users would then be able to bypass MFA.  But with the "authentication failed" option, ISE should stop processing the identity store sequence and reject the request.

0 Helpful

Go to solution
cisco.13
Level 1
Level 1

‎02-22-2022 08:38 AM

Hello  

can you tell me how I check the group (okta) of the user please?

Thank you

0 Helpful
Customers Also Viewed These Support Documents