Solved: Re: RADIUS Token Failover with Duo Proxy Servers - Page 2

Steven Williams · ‎10-19-2018

I don't think DUO Proxy matters in this case, but how does radius token Primary and failover server work. I can never get the authentication to access the secondary server. Timeout on primary is 60 seconds. Do I need to lower this?

Policy says "if process fails [DROP]" I assume this means it would query the secondary server in the radius token. Doesnt seem to ever get there.

Steven Williams · ‎11-29-2018

Well after much aggravation and working with DUO they have suggested that we redesign this.

Rather then ASA - ISE - DUO Proxy

They suggested ASA - DUO - ISE

We had a lot of timing issues with the original design and many lockouts.

Some issues now is with dACLs and my Anyconnect clients. From what I can gather, due to the fact I inherited this setup, when the ASA sends radius requests to ISE in addition to the radius ports its sents CoA on port 1700 to ISE. Now with DUO servers in the middle and the ASA sending radius requests to DUO and not ISE, dACLs seem to now work.

How is this setup built with something like RSA? There has to be similarities.

paul · ‎11-29-2018

Don’t do ASA->DUO->ISE do

ASA authentication to DUO
ASA authorization to ISE

I you connection profile you can point to ISE for authorization. Now RADIUS doesn’t have a concept of authorization like TACACS so you have to fake you way past the authentication phase. In the policy set for this set the identity store to internal users and set the user not found to continue. That will get past authentication then all you AD lookups will work in authorization and you can apply whatever DACLs you want.

Steven Williams · ‎11-29-2018

So what should the AAA server group be then if you are going to define DUO in the authentication section and ISE in the authorization profile?

paul · ‎11-29-2018

It is different part of the connection profile. The AAA group would be DUO. Then on the left side (using ASDM) of the connection profile you can open up the other settings and you will see there is an authorization section. Point at ISE there.

Steven Williams · ‎11-29-2018

Ok so create two separate AAA server groups, one with DUO proxy's using the radius port 1812, and the other using ISE servers using also the radius port but with CoA port 1700 on it?

So Anyconnect client connects and is prompted for username and password, user types DomainA/username and then the ASA calls to DUO and then DUO does an AD lookup to the DC using the [ad_client] section. So that is then a go or a no, if a go then the ASA calls to ISE and looks at what?

How would you build your authentication section in ISE policy set?

I think the challenge is still two forest domains. Right now ISE makes the choice to which DC is queried based on radius name consisting of DomainA or DomainB.

Steven Williams · ‎12-04-2018

I think the issue is going to stand in that the ASA will look to the first DUO in AAA server list. The request will go to the DUO server on the same Radius port so the DUO proxy configuration will only use one AD DC for one port. This is why I had to send authentication to ISE so I can read in the radius name and point requests to certain AD join points based on Domain prefix.