Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3156
Views
0
Helpful
24
Replies

Multiple Authentication Policies

Go to solution
Steven Williams
Level 4
Level 4

‎10-18-2018 05:40 AM

Ok I have been struggling here so I need help. I am not sure if its a limitation of ISE or DUO security Proxy servers.

 

I have an anyconnect VPN termination point on a pair of ASA's. This is integrated with DUO security.

 

So a user is prompted for username and password and once that is successful then they get a DUO push on their mobile device to accept and they are on the VPN and can work as normal.  Simple right? 

 

Now for the twist.

 

I have 2 AD forests with a cross forest 2 way trust. So my ISE server can search both AD Domains, This is working due to both domains having admins that authenticate via TACACS for devices. 

 

Now I'm working with RADIUS. So the challenge is radius requests from a DUO proxy have to be on different ports for each domain. Ok easy, one domain will use 1812 and the other will use 1645. So I add the ISE server twice in "RADIUS Token" one instance using port 1812 and one using 1645. Same IP address but different ports. 

 

So Now I need to add policy sets:

 

I started with two and created one that ties to one radius server on port 1812 and is told to look for external identity source for DomainA. The other Policy set says use the other Radius token on port 1645 and look for external identity source for DomainB. 

 

The issue is when the user enters their username in anyconnect VPN they just use username, not domain\username or username@domain. So ISE takes in that info and compares it the first policy and if that username is not in DomainA it just fails and never goes down to the next policy set. 

 

SO I want to add two radius server tokens to the "auth policy" in the policy but cant seem to do that without a condition. 

ISEAUTH.jpeg

I just want the authentication policy to use both Duo Proxy servers and both ports so if one fails it will try the other one. Is that even possible. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 10:17 AM

Same policy set. Just build two authentication rules as I laid out. All you are doing is string inspection to determine domain A or domain B in the fully qualified username and send it to the correct Duo.


View solution in original post

0 Helpful
24 Replies 24

Go to solution
Arne Bier
VIP
VIP

‎10-18-2018 06:15 AM

Have you tried putting the external identity sources into an Identity SOurce Sequence, and then referencing that in your Authentication Policy?  The search order will be strictly top to bottom, but at least you have the option of looking in the second one if the first once doesn't respond, or doesn't yield a positive result.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Arne Bier

‎10-18-2018 07:36 AM

I will so no because I don't know what that means. Any resources or blogs to assist?

 

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎10-18-2018 07:39 AM

Identity source sequence for the forest/domains or the Radius token servers?

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:20 AM

I have a feeling the identity source sequence won't work because the Duo servers will always respond with a pass/fail.  So if you send username to Duo on 1812 going to the first domain, but the username is not in the first domain Duo is going to respond with a fail and ISE will not move to the second one in the sequence.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:22 AM

Also this is not really an ISE issue it really is a Duo/multiple domain issue.  Let's say you weren't an ISE customer and were adding Duo 2FA to your ASA VPN authentication path.  The ASA is only going to send to one RADIUS IP/port for authentication.  How would Duo want you to design it in this case?  Most likely they are going to say the user needs to fully qualify their username.

 

 

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 09:29 AM

So DUO has told me within my Proxy config I can configure two ldap search queries essentially authenticating against the same RADIUS server (ISE) but on different ports. So I did this. Then setup two radius tokens with the same IP address, but different ports. 1812 and 18120. The when I tell the authentication policy to continue if the first attempt fails then it goes to the next policy. So I can get both usernames in each forest to authenticate but only one will get DUO push. 

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:27 AM

One final thought.  I would honestly just look to setup two Group URLs, one for each domain, then ISE can pick that apart and send it to the correct Duo RADIUS IP/port.  So:

 

vpn.mycompany.com/domain-a

vpn.mycompany.com/domain-b

 

Each of these would be different connection profiles on the ASA. The connection profile name is passed to ISE as the VPN 3000:Tunnel Group Name (attribute 146).  So you could have two policy sets based on the tunnel group name.  Then you send the authentication to the correct Duo IP/port.

 

 

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 09:30 AM

That was my original design but the powers to be don't want users to have to select their domain for connection profile. :(

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:33 AM

Yeah I figured that would be the case, but you can push out client profiles (XML) that have friendly names like "Company VPN Domain A" and "Company VPN Domain B".  The user just has to select it the first time and AnyConnect will remember their selection.

 

It is either they make a one time selection or they have to specify their fully qualified username when they connect.  If you find something else I would like to know how you got it to work.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎10-18-2018 09:34 AM

Why does this tell me the ASA is sending requests to ISE on 1645?

Untitled11.jpeg

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:36 AM

That is just the default RADIUS ports the ASAs use.  I always change them to the newer port, 1812/1813.  ISE listens on both sets of ports so it really doesn't matter.

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to paul

‎10-18-2018 09:40 AM

so the user types in their username and the asa\anyconnect calls out to ISE on port 1812 (even though mine says 1645?) then the request hits ISE, and the policy says use DUO proxy (on what port does this happen) then DUO goes out and checks LDAP and makes sure user is in LDAP and they have an account with DUO, then sends pass\fail back to ISE?

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Steven Williams

‎10-18-2018 09:45 AM

Will having two DUO Proxy servers solve the issue? Each one doing search in one domain both pointing to ISE on 1812, or am I in a bind from an ISE standpoint? Give ISE another IP address? I wouldn't think I have to roll out another ISE server?
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Steven Williams

‎10-18-2018 09:53 AM

There is no difference between a single Duo IP with two ports or two Duo IPs with same port. You either need to get the users to fully qualify or use a different group URL. It is more of a Duo issue than ISE.



If you were doing the AD authentication with ISE and not sending to Duo, ISE would automatically check both domains and everything would work just fine.


0 Helpful
Customers Also Viewed These Support Documents