cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2371
Views
5
Helpful
3
Replies
jpujol
Cisco Employee

TACACS authentication with a proxy Radius and local authorization done in ISE

Hi, 

 

I'm trying together with a DUO engineer to find a solution to create a TACACS policy in ISE where the authentication is done through a proxy-radius, while the authorization is still defined in (and returned by) ISE.

The ultimate goal obviously is to integrate a dual factor with DUO radius-proxy.

 

Currently, it seems that ISE is doing only an authentication process when the identity database is pointing to a radius server, while the authorization works with a local identity source. It doesn't allow the proper set of rights to be sent back to the network device.

 

I don't know wether it's an expected behavior, or if there is some particular config to continue with the authorization rules once the authentication is done. 

 

Thanks for any comment, 

 

Jean-Francois

1 ACCEPTED SOLUTION

Accepted Solutions
Francesco Molino
VIP Mentor

Hi 

 

You want to connect on a device using tacacs and getting a push from Duo for authentication and if ok then push a shell profile. If so then it is possible using the proxy radius which I believe you refer to Duo Proxy?

Below my authproxy.cfg

Screenshot from 2020-05-19 21-40-58.png

Then on your ISE, configure the Identity source sequence to have both your MFA Proxy Radius and AD and reference it in your authentication policy for tacacs. Rest of the configuration on the authorization side remains the same.

 

Screenshot from 2020-05-19 21-46-41.pngScreenshot from 2020-05-19 21-46-55.pngScreenshot from 2020-05-19 21-47-29.pngScreenshot from 2020-05-19 21-47-39.png

 

 

When you connect to your device, you enter your username and password, got a push from Duo you need to accept and you're connected.

You can increase the timeout to avoid any issues.

 

Screenshot from 2020-05-19 21-51-10.pngScreenshot from 2020-05-19 21-54-21.png

 

Hope this answers your question

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 REPLIES 3
Francesco Molino
VIP Mentor

Hi 

 

You want to connect on a device using tacacs and getting a push from Duo for authentication and if ok then push a shell profile. If so then it is possible using the proxy radius which I believe you refer to Duo Proxy?

Below my authproxy.cfg

Screenshot from 2020-05-19 21-40-58.png

Then on your ISE, configure the Identity source sequence to have both your MFA Proxy Radius and AD and reference it in your authentication policy for tacacs. Rest of the configuration on the authorization side remains the same.

 

Screenshot from 2020-05-19 21-46-41.pngScreenshot from 2020-05-19 21-46-55.pngScreenshot from 2020-05-19 21-47-29.pngScreenshot from 2020-05-19 21-47-39.png

 

 

When you connect to your device, you enter your username and password, got a push from Duo you need to accept and you're connected.

You can increase the timeout to avoid any issues.

 

Screenshot from 2020-05-19 21-51-10.pngScreenshot from 2020-05-19 21-54-21.png

 

Hope this answers your question

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

thanks a lot for your reply, very helpful !

Glad it helped

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube