Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3061
Views
5
Helpful
3
Replies

TACACS authentication with a proxy Radius and local authorization done in ISE

Go to solution
jpujol
Cisco Employee
Cisco Employee

‎05-19-2020 09:58 AM

Hi, 

 

I'm trying together with a DUO engineer to find a solution to create a TACACS policy in ISE where the authentication is done through a proxy-radius, while the authorization is still defined in (and returned by) ISE.

The ultimate goal obviously is to integrate a dual factor with DUO radius-proxy.

 

Currently, it seems that ISE is doing only an authentication process when the identity database is pointing to a radius server, while the authorization works with a local identity source. It doesn't allow the proper set of rights to be sent back to the network device.

 

I don't know wether it's an expected behavior, or if there is some particular config to continue with the authorization rules once the authentication is done. 

 

Thanks for any comment, 

 

Jean-Francois

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-19-2020 06:49 PM - edited ‎05-19-2020 06:54 PM

Hi 

 

You want to connect on a device using tacacs and getting a push from Duo for authentication and if ok then push a shell profile. If so then it is possible using the proxy radius which I believe you refer to Duo Proxy?

Below my authproxy.cfg

Screenshot from 2020-05-19 21-40-58.png

Then on your ISE, configure the Identity source sequence to have both your MFA Proxy Radius and AD and reference it in your authentication policy for tacacs. Rest of the configuration on the authorization side remains the same.

 

Screenshot from 2020-05-19 21-46-41.pngScreenshot from 2020-05-19 21-46-55.pngScreenshot from 2020-05-19 21-47-29.pngScreenshot from 2020-05-19 21-47-39.png

 

 

When you connect to your device, you enter your username and password, got a push from Duo you need to accept and you're connected.

You can increase the timeout to avoid any issues.

 

Screenshot from 2020-05-19 21-51-10.pngScreenshot from 2020-05-19 21-54-21.png

 

Hope this answers your question

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-19-2020 06:49 PM - edited ‎05-19-2020 06:54 PM

Hi 

 

You want to connect on a device using tacacs and getting a push from Duo for authentication and if ok then push a shell profile. If so then it is possible using the proxy radius which I believe you refer to Duo Proxy?

Below my authproxy.cfg

Screenshot from 2020-05-19 21-40-58.png

Then on your ISE, configure the Identity source sequence to have both your MFA Proxy Radius and AD and reference it in your authentication policy for tacacs. Rest of the configuration on the authorization side remains the same.

 

Screenshot from 2020-05-19 21-46-41.pngScreenshot from 2020-05-19 21-46-55.pngScreenshot from 2020-05-19 21-47-29.pngScreenshot from 2020-05-19 21-47-39.png

 

 

When you connect to your device, you enter your username and password, got a push from Duo you need to accept and you're connected.

You can increase the timeout to avoid any issues.

 

Screenshot from 2020-05-19 21-51-10.pngScreenshot from 2020-05-19 21-54-21.png

 

Hope this answers your question

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
jpujol
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎06-15-2020 11:58 PM

thanks a lot for your reply, very helpful !
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jpujol

‎06-16-2020 08:29 PM

Glad it helped

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents