This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I haven't worked much on multi factor authentication on ISE. So it would be great if I get more details on this, The customer needs the below design to support from ISE, is it possible? So basically they want to do TACACS auth for the below devices where the authentication request should go to AD and then once successful it should go to DUO server for phonecall or token? Is there any configuration example which helps the scenerio
List of network devices we will use for testing:
Solved! Go to Solution.
Thanks @Surendra for responding, so my understanding is ISE cannot support the customer ask (which is auth goes to AD first and then to token server). ISE can only forward the authentication request to DUO proxy first and then the proxy forwards to AD and duo token server i.e as shown in diagram below. Am I right?
So the auth proxy will check with the AD ( primary auth ) and then with Duo Cloud ( Secondary auth)
Why does ISE have to check with AD again?
Can ISE Integrate with Duo for 2FA, after doing primary auth with AD ( without a auth proxy in the middle)
1) Do we need only to add ISE as a radius token server on achieving 2 FA?
2) Without doing ISE for authentication and DUO for authorization, can we done same authentication request get authenticated by ISE and DUO.