03-12-2024 12:11 AM
hi,
we wants to secure our authentication for administrative access to network devices with Cisco ISE and DUO. I configured every step like it was writen in this post from NSPASOV and it works fine!
my problem is that no attributes are comming back from the DUO Proxy to ISE and i nedd this attribues to send back permission to the network devices.
here is my DUO proxy config:
[radius_server_auto]
ikey=123
skey=123
api_host=api-123.duosecurity.com
radius_ip_1=1.2.3.4
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812
Are the any options to passthrouh the attributes with a ad_client? Or any ideas how ISE coud get these Attributes from LDAP oder AD in a second request?
thanks and regards
Nils
Solved! Go to Solution.
03-12-2024 08:46 AM - edited 03-12-2024 08:46 AM
You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.
You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.
Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).
03-12-2024 08:46 AM - edited 03-12-2024 08:46 AM
You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.
You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.
Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).
03-13-2024 03:32 AM
Hey @DuoKristina thanks for your response!
to your first option, coud i use the ISE (that is connectet to the domain) as the radius client?
to the second, i need to talk to an ISE expert.. i hoped that the ise starts a second session for the authorization session.
the integration from the DUO proxy in ISE is very interesting, thanks for your notive!
regards Nils
03-13-2024 04:52 AM
@DuoKristina the option to use the ISE a the Radius Client, works! thanks for your help! regards Nils
03-13-2024 06:45 AM
Glad that worked for you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide