Policy to allow security group with authentication method

Capricorn · ‎02-01-2023

Hello!

I might be doing something wrong as I have started working with Cisco ISE 2.4 after long time. Anyone can guide how to create policy as configured for NPS in the below link?

https://help.duo.com/s/article/4785?language=en_US

Thanks

ahollifield · ‎02-01-2023

Not sure what you are asking? You want to integrate ISE with DUO?

https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html

Capricorn · ‎02-01-2023

Hi!

Sorry for not being clear. I have Foritgate L2TP setup and want to use DUO 2FA with L2TP. I need NPS server in between for this.

I have issue with MS NPS server due to some domain netbios name. My first choice was Cisco ISE as we have it but there is not much documentation of how this will work. So the link I posted above is MS implementation of using Duo 2FA with L2TP.

I found this article and tried it but when I try to connect from FortiGate then the policy is not hitting.

https://finkotek.com/cisco-anyconnect-with-ise-and-duo-mfa/

Here is my work flow.

User connects to ForitGate via L2TP.

FortiGate sends traffic to Duo Proxy.

Duo Proxy send traffic to Cisco ISE.

This article is doing the same for MS NPS implementation

https://help.duo.com/s/article/4785?language=en_US

hslai · ‎02-04-2023

@Capricorn I would suggest to take packet captures between ISE and Duo auth proxy and see if Duo auth proxy is sending all the attributes as expected. If it is not, please consult with Duo support teams. If it is, please describe in more details how the policy rules are configured and which rule is not getting hit.