Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3160
Views
0
Helpful
24
Replies

Multiple Authentication Policies

Go to solution
Steven Williams
Level 4
Level 4

‎10-18-2018 05:40 AM

Ok I have been struggling here so I need help. I am not sure if its a limitation of ISE or DUO security Proxy servers.

 

I have an anyconnect VPN termination point on a pair of ASA's. This is integrated with DUO security.

 

So a user is prompted for username and password and once that is successful then they get a DUO push on their mobile device to accept and they are on the VPN and can work as normal.  Simple right? 

 

Now for the twist.

 

I have 2 AD forests with a cross forest 2 way trust. So my ISE server can search both AD Domains, This is working due to both domains having admins that authenticate via TACACS for devices. 

 

Now I'm working with RADIUS. So the challenge is radius requests from a DUO proxy have to be on different ports for each domain. Ok easy, one domain will use 1812 and the other will use 1645. So I add the ISE server twice in "RADIUS Token" one instance using port 1812 and one using 1645. Same IP address but different ports. 

 

So Now I need to add policy sets:

 

I started with two and created one that ties to one radius server on port 1812 and is told to look for external identity source for DomainA. The other Policy set says use the other Radius token on port 1645 and look for external identity source for DomainB. 

 

The issue is when the user enters their username in anyconnect VPN they just use username, not domain\username or username@domain. So ISE takes in that info and compares it the first policy and if that username is not in DomainA it just fails and never goes down to the next policy set. 

 

SO I want to add two radius server tokens to the "auth policy" in the policy but cant seem to do that without a condition. 

ISEAUTH.jpeg

I just want the authentication policy to use both Duo Proxy servers and both ports so if one fails it will try the other one. Is that even possible. 

0 Helpful
24 Replies 24

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:48 AM

Yes that is right. The user can definitely type in domain\username into the AnyConnect login prompt.



Then in ISE you can look at the RADIUS username attribute in the authentication phase to send it to correct Duo IP/port:



If username contains "domain-a\" then send to Duo for domain A lookups.

If username contains "domain-b\" then send to Duo for domain B lookups.






0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 09:52 AM

So in the policy set > Authentication Policy > create a custome rule that says If radius:username equals (what goes here, AD Join Point?) then use this radius server? 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:56 AM

You are only sending the data to Duo not your AD. So write two authentication rules doing username inspection and send it to the correct Duo IP/port based on domain.


0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 10:01 AM

I guess I am struggling making the Authentication rules because beside the deafult one that just says use Proxy A or B. Nothing works to check username in each domain.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 10:03 AM

Like I said user the RADIUS Username attribute. The client must specific the domain\username and then you create your two rules in the authentication phase.


0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 10:12 AM

Would this all be in the same Policy Set? Or two Policy Sets, one per domain?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 10:17 AM

Same policy set. Just build two authentication rules as I laid out. All you are doing is string inspection to determine domain A or domain B in the fully qualified username and send it to the correct Duo.


0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎10-18-2018 09:35 AM

Well how do I get it to accept their domain\username? I have read that the ASA doesn't like that
0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎10-18-2018 09:47 AM

I have also tried to nest DomainA users in DomainB groups and have ISE only look at DomainB and it still fails. Says the user doesn't exist. Was a little sad that "cheat" didnt work.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Steven Williams

‎10-18-2018 12:10 PM

I am not clear what exactly you tried with nesting domainA users in domainB groups and why. If the group lookups using the regular LDAP, it might not work with nested groups.

I believe ASA supporting multiple authentications so you could try authenticating to Duo with single Duo factors (push, phone, text) as one authentication. And, then authenticate to ISE as the 2nd authentication.

If that does not work, Duo auth proxy has an option to act as a radius client and proxy the requests to another RADIUS server, which could be ISE, to perform auth with multiple domains -- https://duo.com/docs/authproxy_reference#radius_client

0 Helpful
Customers Also Viewed These Support Documents