cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4170
Views
5
Helpful
8
Replies
ryfirth
Cisco Employee

Using Duo with ISE for multi-factor authentication

Assume we configure ISE as the Primary and Duo as the secondary auth, which would function more like an OTP server than a Proxy. The questions I have are 1)  would ISE be able to pass radius attributes to the client with Duo as the secondary and 2) does this method dilute Duo’s functionality (where ISE does not have the capability to substitute)?

In this image from Duo, ISE would be the Primary Authentication via RADIUS:

duo.png

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

At present, only ASA can perform such multi authentications. I believe you need to configure ASA to first auth against Due and then to authentication and authorization against ISE.

PS: Nice diagram.

View solution in original post

8 REPLIES 8
hslai
Cisco Employee

At present, only ASA can perform such multi authentications. I believe you need to configure ASA to first auth against Due and then to authentication and authorization against ISE.

PS: Nice diagram.

View solution in original post

Hi Hsing,

Hope you're doing well.  Is this still the case with ISE 2.2, where multi-authentications are not supported?  I created a RADIUS Token to point to Duo's Authentication Proxy (an on-prem appliance that proxies AAA requests to Duo's cloud).  I'm trying to set up the authentication policy so primary authentication is handled by ISE, but have ISE also trigger a secondary auth to Duo.  The requirement is to only configure primary authentication and authorization on the ASA and NOT configure secondary authentication on the ASA; the requirement is to have ISE or ACS trigger this secondary auth to Duo.  Is this possible? 

Thanks in advance.

ISE 2.2 is still doing single auth except for EAP chaining or CWA chaining. I would suggest to bring your use case to our ISE product management team.

This is a bit old, but I am struggling with this setup currently. The original configuration was ASA -> ISE -> DUO proxy. DUO proxies being setup as Radius tokens. We have suffered from many issues with this configuration, timings mainly. 

 

So Duo has said redesign. SO now its ASA -> DUO Proxies -> ISE

 

The Issue I am having now is with what seems to be CoA being passed through the DUO servers from ASA to ISE and ISE to ASA when needing my anyconnect clients to get dACLs. Anyone else running into similar issues?

I'm seeing the same thing.

 

When it's ASA -- Duo Proxy -- ISE, I'm not able to push a dACL to my VPN session. I do see reference to the ACL name in the Duo Proxy debug logs:

 

2018-12-13T14:11:05-0500 [RadiusClient (UDP)] '<redacted>\x01@ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-BLOCK-RFC1918-5b16ae0f\x1a\x15\x00\x007c\x06\x0fBLOCK-RFC1918'

 

The public IP address of my device connecting via VPN is listed under 'Access Device' info in the Duo dashboard. I believe this is what's used for any policy enforced by Duo. 

 

Screen Shot 2018-12-14 at 8.57.01 AM.png 

If I change my configuration to use Duo Proxy as a token server, my dACL gets applied successfully, but I lose the IP address being reported to the Duo dashboard, which poses a problem for folks trying to apply policies from Duo.

 

Is there a way to get the public IP of the device on the Duo dashboard and a dACL applied to the VPN session?

What do you mean by use duo proxy as token server?

Configure Duo as a RADIUS Token under External Identity Sources.

I have that configured and I still do not get the dACLs to the client.

So the ASA does radius to ISE, then ISE policy set says if this then use radius token duo.

Timing issues are horrific. I think the issue is that ASA can't pass CoA through DUO proxy and vice versa.
Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel