Solved: Cisco ISE an DUO Radius Attributes back to ISE

Nils 86 · ‎03-12-2024

hi,

we wants to secure our authentication for administrative access to network devices with Cisco ISE and DUO. I configured every step like it was writen in this post from NSPASOV and it works fine!

https://community.cisco.com/t5/security-knowledge-base/duo-mfa-integration-with-ise-for-tacacs-device-administration/ta-p/3881767

my problem is that no attributes are comming back from the DUO Proxy to ISE and i nedd this attribues to send back permission to the network devices.

here is my DUO proxy config:
[radius_server_auto]
ikey=123
skey=123
api_host=api-123.duosecurity.com
radius_ip_1=1.2.3.4
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812

Are the any options to passthrouh the attributes with a ad_client? Or any ideas how ISE coud get these Attributes from LDAP oder AD in a second request?

thanks and regards
Nils

DuoKristina · ‎03-12-2024

You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.

You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.

Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).

Duo, not DUO.

View solution in original post

DuoKristina · ‎03-12-2024

You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.

You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.

Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).

Duo, not DUO.

Nils 86 · ‎03-13-2024

Hey @DuoKristina thanks for your response!

to your first option, coud i use the ISE (that is connectet to the domain) as the radius client?

to the second, i need to talk to an ISE expert.. i hoped that the ise starts a second session for the authorization session.

the integration from the DUO proxy in ISE is very interesting, thanks for your notive!

regards Nils

Nils 86 · ‎03-13-2024

@DuoKristina the option to use the ISE a the Radius Client, works! thanks for your help! regards Nils

DuoKristina · ‎03-13-2024

Glad that worked for you!

Duo, not DUO.