02-07-2022 10:46 PM - edited 02-07-2022 10:47 PM
Is it possible to require authorization against two external identity sources? Identity source sequence seems to only require passing one or the other external identity source, but want to require both. I would like to use LDAP to valid the user (verify password and group membership "this has been working fine") then after that is validated, send the username and password to our DUO radius proxy for MFA (Duo-Client-Only) processing.
We use ISE to authorize remote VPN users on our ASA. We now have a requirement to add MFA push at login.
Solved! Go to Solution.
02-08-2022 01:29 PM
That type of authentication flow is not possible. The way to implement Duo MFA with ISE is using the Duo Authentication Proxy and having it do the lookup against LDAP as documented in this Duo guide.
02-08-2022 01:29 PM
That type of authentication flow is not possible. The way to implement Duo MFA with ISE is using the Duo Authentication Proxy and having it do the lookup against LDAP as documented in this Duo guide.
02-08-2022 11:15 PM
Hi @mletchworth,
As @Greg Gibbs wrote, such flow is not possible. ISE can either process authentication on its own, or it can pass it forward to someone else, but can still proceed with authorization.
How I did implementations with Duo is to install Duo Authentication Proxy, to integrate it with AD/LDAP and Duo cloud, and then to integrate ISE with Duo Proxy via RADIUS protocol. Guide that Greg shared is by using External RADIUS servers. I also used integration with ISE as RADIUS Token server.
BR,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide