Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9550
Views
5
Helpful
6
Replies

TACACS two factor authentication with DUO

Go to solution
smano
Cisco Employee
Cisco Employee

‎01-10-2019 11:53 AM

Hi folks, 

 

I haven't worked much on multi factor authentication on ISE. So it would be great if I get more details on this, The customer needs the below design to support from ISE, is it possible? So basically they want to do TACACS auth for the below devices where the authentication request should go to AD and then once successful it should go to DUO server for phonecall or token? Is there any configuration example which helps the scenerio 

 

Screen Shot 2019-01-10 at 2.43.53 PM.png

List of network devices we will use for testing:

Nexus 7710  - 8.2.1 Code
Nexus 93180  - 7.x
ASR1009  - 16.6.4
ASR9K - 6.2.3
Catalyst 4510 - 3.02.10.SG
WLC 8540  - 8.5.143.0
WLC 5508 - 8.3.133.10
WLC 5760 - 03.07.05E
Cisco PI - 3.4
Cisco ISE - 2.3 Patch 5
Cisco Prime Assurance -
F5 LTM/GTM -
InfoBlox - 8.2.2
Cisco VG350 –
Cisco Call Manager – 11.5.x
Cisco ASA5580 – 8.4.x
FTD - 6.x

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎01-10-2019 01:09 PM

Configure ISE as a TACACS server and DUO as a RADIUS server on the Network device.

Configure authentication to be done against ISE (Configure ISE to look for the user in AD) and authorization to be done against DUO.

This will work as long as the network device supports different servers for authentication and authorization.

ISE in itself does not support MFA but utilizes the third party device capability to do so. TACACS has a very limited scope when it some to MFA on ISE. For instance : https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

If you plan to use RADIUS, then you can probably try this https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html#anc7 . Here you can check with DUO call or OTP first and then lookup the user in the AD in authorization policies if you choose the option to continue with authorization on Access-Accept.

You cannot do the other way around with ISE with either of the protocols i.e., AD first and then DUO.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎01-10-2019 01:09 PM

Configure ISE as a TACACS server and DUO as a RADIUS server on the Network device.

Configure authentication to be done against ISE (Configure ISE to look for the user in AD) and authorization to be done against DUO.

This will work as long as the network device supports different servers for authentication and authorization.

ISE in itself does not support MFA but utilizes the third party device capability to do so. TACACS has a very limited scope when it some to MFA on ISE. For instance : https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

If you plan to use RADIUS, then you can probably try this https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html#anc7 . Here you can check with DUO call or OTP first and then lookup the user in the AD in authorization policies if you choose the option to continue with authorization on Access-Accept.

You cannot do the other way around with ISE with either of the protocols i.e., AD first and then DUO.
0 Helpful

Go to solution
smano
Cisco Employee
Cisco Employee
In response to Surendra

‎01-10-2019 06:50 PM

Thanks @Surendra for responding, so my understanding is ISE cannot support the customer ask (which is auth goes to AD first and then to token server). ISE can only forward the authentication request to DUO proxy first and then the proxy forwards to AD and duo token server i.e as shown in diagram below. Am I right? 

 

Screen Shot 2019-01-07 at 2.54.51 PM.png

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to smano

‎01-11-2019 01:19 AM

With https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html ,

1. ISE forwards/proxies the request to DUO.
2. DUO validates the credentials entered by the user.
3. DUO sends an access-accept back to ISE if the credentials are correct.
4. ISE will lookup the user in the AD.
5. Sned a final access-accept back to the network device.

Go to solution
nupur jain
Cisco Employee
Cisco Employee
In response to Surendra

‎04-04-2019 07:36 AM

So the auth proxy will check with the AD ( primary auth ) and then with Duo Cloud ( Secondary auth) 
Why does ISE have to check with AD again?

 

Can ISE Integrate with Duo for 2FA, after doing primary auth with AD ( without a auth proxy in the middle) 

0 Helpful

Go to solution
faylee
Cisco Employee
Cisco Employee
In response to smano

‎01-11-2019 04:55 AM

Yes, you are correct.  What is the reason to hit AD first?

 

0 Helpful

Go to solution
hasitha siriwardhana
Level 1
Level 1
In response to Surendra

‎04-05-2019 03:14 AM

Hi Surendra,

 

1) Do we need only to add ISE as a radius token server on achieving 2 FA?

2) Without doing ISE for authentication and DUO for authorization, can we done same authentication request get authenticated by ISE and DUO.

 

regards

hasitha

0 Helpful
Customers Also Viewed These Support Documents