Hi and Thank you Dinesh, I have seen the DUO Docs that you provided, the key to the whole setup is having the RADIUS terminate auth at ISE and not allow it to just proxy through.  If ISE is a true RADIUS server why do I need to proxy through it and not allow it to answer the question of if the username/password is correct?

Hi Pierre,

ISE is a true radius server and does allow the validation of user authentication irrespective of whether the user is locally present or via integration to another identity resource.

You might want to confirm Duo proxy working at https://community.duo.com/ but here is what you can try.

If you configure ISE under radius_client within authproxy.cfg configuration file, Duo proxy will contact ISE to do primary authentication and use its database.

To complete the configuration, configure ISE under radius_server_auto within authproxy.cfg configuration file, this will allow ISE send authentication requests to the Authentication Proxy. Make sure you do define client=radius_client within the radius_server_auto section to use radius (and not AD) for primary authentication.

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

It seems what you are asking is for ISE (as a RADIUS server) to also be your primary authentication source. In most deployments ISE uses an external identity store like AD or LDAP.

I've not tried what you're asking but that should be possible. It would be a bit recursive though.

Are you looking to do this for device admin (TACACS+) or network access control (802.1x + RADIUS)?

That is exactly what I'm trying to do.  Not TACACS just yet.  Traffic would flow as below.  Excuse my simple drawing:

Anyconnect --> ASA --> DUO Proxy --> ISE --> DUO Proxy --> DUO Cloud --> Phone Push --> DUO Cloud --> DUO Proxy --> ASA

Hi Pierre,

Try using ASA instead of ISE under radius_server_auto with ISE under radius_client.

Thank you,

Dinesh Moudgil

We do have the ASA under radius_server_auto and ISE under radius_client.  Since I am running a cluster I have both IPs for the radius_client as well.

Thanks for the confirmation.

Assuming there is no communication issue between the devices involved, please attempt a test authentication and enable radius debugs on ASA and Duo Proxy and review them along with ISE live logs. These can give insights on what seems to be not working.

Here is what else is happening after doing some testing.  ISE is actually sending back an ICMP message stating Destination UnReachable. 

Duo Proxy sends Access-Request

ISE sends ICMP Destination Unreachable (Port Unreachable)

Is ISE being used for authentication for other NADs and that works? Confirming if the ISE you are using is setup correctly [Make sure the nodes in distributed deployments have PSN personas for the ISE servers configured under radius_client].

Can you please share your authproxy configuration and ISE authC and authZ rules for this flow ?

Perhaps place "runtime-AAA" component in debug on ISE GUI and run the following on ISE CLI while attempting authentication

terminal length 0

show logg application prrt-server.log tail