cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5236
Views
0
Helpful
6
Replies
smano
Cisco Employee

TACACS two factor authentication with DUO

Hi folks, 

 

I haven't worked much on multi factor authentication on ISE. So it would be great if I get more details on this, The customer needs the below design to support from ISE, is it possible? So basically they want to do TACACS auth for the below devices where the authentication request should go to AD and then once successful it should go to DUO server for phonecall or token? Is there any configuration example which helps the scenerio 

 

Screen Shot 2019-01-10 at 2.43.53 PM.png

List of network devices we will use for testing:

Nexus 7710  - 8.2.1 Code
Nexus 93180  - 7.x
ASR1009  - 16.6.4
ASR9K - 6.2.3
Catalyst 4510 - 3.02.10.SG
WLC 8540  - 8.5.143.0
WLC 5508 - 8.3.133.10
WLC 5760 - 03.07.05E
Cisco PI - 3.4
Cisco ISE - 2.3 Patch 5
Cisco Prime Assurance -
F5 LTM/GTM -
InfoBlox - 8.2.2
Cisco VG350 –
Cisco Call Manager – 11.5.x
Cisco ASA5580 – 8.4.x
FTD - 6.x

 

1 ACCEPTED SOLUTION

Accepted Solutions
Surendra
Cisco Employee

Configure ISE as a TACACS server and DUO as a RADIUS server on the Network device.

Configure authentication to be done against ISE (Configure ISE to look for the user in AD) and authorization to be done against DUO.

This will work as long as the network device supports different servers for authentication and authorization.

ISE in itself does not support MFA but utilizes the third party device capability to do so. TACACS has a very limited scope when it some to MFA on ISE. For instance : https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

If you plan to use RADIUS, then you can probably try this https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html#anc7 . Here you can check with DUO call or OTP first and then lookup the user in the AD in authorization policies if you choose the option to continue with authorization on Access-Accept.

You cannot do the other way around with ISE with either of the protocols i.e., AD first and then DUO.

View solution in original post

6 REPLIES 6
Surendra
Cisco Employee

Configure ISE as a TACACS server and DUO as a RADIUS server on the Network device.

Configure authentication to be done against ISE (Configure ISE to look for the user in AD) and authorization to be done against DUO.

This will work as long as the network device supports different servers for authentication and authorization.

ISE in itself does not support MFA but utilizes the third party device capability to do so. TACACS has a very limited scope when it some to MFA on ISE. For instance : https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171

If you plan to use RADIUS, then you can probably try this https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html#anc7 . Here you can check with DUO call or OTP first and then lookup the user in the AD in authorization policies if you choose the option to continue with authorization on Access-Accept.

You cannot do the other way around with ISE with either of the protocols i.e., AD first and then DUO.

View solution in original post

Thanks @Surendra for responding, so my understanding is ISE cannot support the customer ask (which is auth goes to AD first and then to token server). ISE can only forward the authentication request to DUO proxy first and then the proxy forwards to AD and duo token server i.e as shown in diagram below. Am I right? 

 

Screen Shot 2019-01-07 at 2.54.51 PM.png

With https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/213239-configure-external-radius-servers-on-ise.html ,

1. ISE forwards/proxies the request to DUO.
2. DUO validates the credentials entered by the user.
3. DUO sends an access-accept back to ISE if the credentials are correct.
4. ISE will lookup the user in the AD.
5. Sned a final access-accept back to the network device.

So the auth proxy will check with the AD ( primary auth ) and then with Duo Cloud ( Secondary auth) 
Why does ISE have to check with AD again?

 

Can ISE Integrate with Duo for 2FA, after doing primary auth with AD ( without a auth proxy in the middle) 

faylee
Cisco Employee

Yes, you are correct.  What is the reason to hit AD first?

 

Hi Surendra,

 

1) Do we need only to add ISE as a radius token server on achieving 2 FA?

2) Without doing ISE for authentication and DUO for authorization, can we done same authentication request get authenticated by ISE and DUO.

 

regards

hasitha

Content for Community-Ad