09-15-2021 11:53 AM
Currently have ISE deployed as a TACACs server for a number of network devices and was asked to look into integrating DUO with it. I found this document:
which seems like I'd just need to do the DUO side of the integration and then set it up as a Radius server for authentication and switch the policies to use that for authentication and then continue to use AD groups for authorization. Am I reading that right and my assumptions correct?
09-15-2021 01:29 PM
Hi @mumbles202,
You'll need to install Duo Authentication Proxy server (I always prefer two, for redundancy), and configure it on ISE as RADIUS Token server. From here, you can approach this in two ways:
In both ways, you can configure authoriyation against AD later.
BR,
Milos
09-17-2021 07:45 AM
Thanks for the reply. So I got this working, just had to redo my policy set as before I had the authorization based on device type. But what I'm having as an issue is when I enable a backup server (we have 2 Duo Proxy servers) it begins failing. I've switched the primary and secondary and confirmed it works when using either of the 2 as the primary w/ the backup setting disabled. As soon as I enabled the backup however I start having issues with logins.
09-17-2021 12:56 PM
Hi @mumbles202,
I never had such issue. What crosses my mind is that it could be related to timeouts, as MFA is a process that take some time. Try playing around with those, both on ISE-Duo Proxy (e.g. configure them at 45s, 1 retry) and NAD-ISE (e.g. 60s, 1 retry).
BR,
Milos
09-17-2021 03:43 PM
Thanks for this. I'll give it a try to tweak the timers. I noticed that I do have to authenticate multiple times (I enter credentials, get the push and accept, but then get prompted for another login, repeat) so timers do make sense.
I was able to get it going w/ the FMC as well, though I have to figure out why I can't ssh to the FMC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide