cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6556
Views
15
Helpful
5
Replies

ISE integration with DUO

tashaver
Cisco Employee
Cisco Employee

Hi all,

Wondering if we have any documentation on Duo Security integration with ISE with step by step instructions on how to enable this. The requirement is for all admins to authenticate to Cisco WLCs with 2 factor authentication. 

1 Accepted Solution

Accepted Solutions

Cory Peterson
Level 5
Level 5

Another user has a step by step guide here: https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

 

It talks about using it for Admin authentication but could easily be used for User login also. 

View solution in original post

5 Replies 5

Cory Peterson
Level 5
Level 5

Another user has a step by step guide here: https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

 

It talks about using it for Admin authentication but could easily be used for User login also. 

Martin Hart
Level 1
Level 1

Addming this for info, 

I have also shared on the other pages

 

I had a look at the ACS/ISE guide which is also shared by duo. I ran into an issue with ISE 2.4 Patch 5. When I added an external ID source I got a lot of error 401 in the DUO proxy log. Our initial login to the devices was via RADIUS not TACACS. 

I fixed the issue by configuring the DUO auth proxy as an external radius server with timeout of 60 seconds.

Configured a radius server sequence pointing to the new external RADIUS server. 

In the advance options select continue to Authorization policy on access acept

Configured the policy set in ISE to reference the external RADIUS server sequence.

Configured authorization polices as required with different levels of access.

 

Hope this helps anyone who is struggling to get ISE working with RADIUS MFA from network device. I also believe this would work for other RADIUS base logins via ISE.

 

Hi Martin,

I am interested to know if you tested with Anyconnect to push dACLto the users. 

And, your setup, is: ISE and DUO? or vice-versa.

 

My main goal is to be able to authenticate Anyconnect, with DUO and ISE (which is working) but I cannot push dACLs to the Anyconnect.

Do you have any ideas around this setup? I am using ISE 2.2

 

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: