Solved: Multiple identity sources for Authorization

mletchworth · ‎02-07-2022

Is it possible to require authorization against two external identity sources? Identity source sequence seems to only require passing one or the other external identity source, but want to require both. I would like to use LDAP to valid the user (verify password and group membership "this has been working fine") then after that is validated, send the username and password to our DUO radius proxy for MFA (Duo-Client-Only) processing.

We use ISE to authorize remote VPN users on our ASA. We now have a requirement to add MFA push at login.

Greg Gibbs · ‎02-08-2022

That type of authentication flow is not possible. The way to implement Duo MFA with ISE is using the Duo Authentication Proxy and having it do the lookup against LDAP as documented in this Duo guide.

View solution in original post

Greg Gibbs · ‎02-08-2022

That type of authentication flow is not possible. The way to implement Duo MFA with ISE is using the Duo Authentication Proxy and having it do the lookup against LDAP as documented in this Duo guide.

Milos_Jovanovic · ‎02-08-2022

Hi @mletchworth,

As @Greg Gibbs wrote, such flow is not possible. ISE can either process authentication on its own, or it can pass it forward to someone else, but can still proceed with authorization.

How I did implementations with Duo is to install Duo Authentication Proxy, to integrate it with AD/LDAP and Duo cloud, and then to integrate ISE with Duo Proxy via RADIUS protocol. Guide that Greg shared is by using External RADIUS servers. I also used integration with ISE as RADIUS Token server.

BR,

Milos