Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2361
Views
30
Helpful
4
Replies

ISE integration with MFA

mumbles202
Level 5
Level 5

‎09-15-2021 11:53 AM

Currently have ISE deployed as a TACACs server for a number of network devices and was asked to look into integrating DUO with it.  I found this document:

 

https://community.cisco.com/t5/security-documents/protecting-access-to-network-devices-with-ise-tacacs-and-duo-mfa/ta-p/3783600#toc-hId--589596902

 

which seems like I'd just need to do the DUO side of the integration and then set it up as a Radius server for authentication and switch the policies to use that for authentication and then continue to use AD groups for authorization.  Am I reading that right and my assumptions correct?

4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-15-2021 01:29 PM

Hi @mumbles202,

You'll need to install Duo Authentication Proxy server (I always prefer two, for redundancy), and configure it on ISE as RADIUS Token server. From here, you can approach this in two ways:

  1. You can configure previously configured RADIUS Token server in your Authentication policy
  2. You can configure Internal Users in your authentication policy, and then, under specific user, modify it to use RADIUS Token as a password source, instead of internal database.

In both ways, you can configure authoriyation against AD later.

BR,

Milos

mumbles202
Level 5
Level 5
In response to Milos_Jovanovic

‎09-17-2021 07:45 AM

Thanks for the reply.  So I got this working, just had to redo my policy set as before I had the authorization based on device type.  But what I'm having as an issue is when I enable a backup server (we have 2 Duo Proxy servers) it begins failing.  I've switched the primary and secondary and confirmed it works when using either of the 2 as the primary w/ the backup setting disabled.  As soon as I enabled the backup however I start having issues with logins.  

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to mumbles202

‎09-17-2021 12:56 PM

Hi @mumbles202,

I never had such issue. What crosses my mind is that it could be related to timeouts, as MFA is a process that take some time. Try playing around with those, both on ISE-Duo Proxy (e.g. configure them at 45s, 1 retry) and NAD-ISE (e.g. 60s, 1 retry).

BR,

Milos

mumbles202
Level 5
Level 5
In response to Milos_Jovanovic

‎09-17-2021 03:43 PM

Thanks for this.  I'll give it a try to tweak the timers.  I noticed that I do have to authenticate multiple times (I enter credentials, get the push and accept, but then get prompted for another login, repeat) so timers do make sense.

 

I was able to get it going w/ the FMC as well, though I have to figure out why I can't ssh to the FMC.

Customers Also Viewed These Support Documents