cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
4
Replies

Cisco ISE an DUO Radius Attributes back to ISE

Nils 86
Level 1
Level 1

hi,

we wants to secure our authentication for administrative access to network devices with Cisco ISE and DUO. I configured every step like it was writen in this post from NSPASOV and it works fine!

https://community.cisco.com/t5/security-knowledge-base/duo-mfa-integration-with-ise-for-tacacs-device-administration/ta-p/3881767

my problem is that no attributes are comming back from the DUO Proxy to ISE and i nedd this attribues to send back permission to the network devices.

here is my DUO proxy config:
[radius_server_auto]
ikey=123
skey=123
api_host=api-123.duosecurity.com
radius_ip_1=1.2.3.4
radius_secret_1=secret
failmode=safe
client=ad_client
port=1812

Are the any options to passthrouh the attributes with a ad_client? Or any ideas how ISE coud get these Attributes from LDAP oder AD in a second request?

thanks and regards
Nils

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.

You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.

Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).

Duo, not DUO.

View solution in original post

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

You must be using RADIUS for primary auth to pass additional attributes using RADIUS secondary. In an AD environment this usually means standing up NPS and pointing the Duo proxy's radius_client config to that. take a look at the pass_through_attr_names and pass_through_all settings in the Authentication Proxy reference.

You could also use ad_client with ldap_server_auto, which won't pass additional attributes with authentication btu will let ISE make additional LDAP queries after the initial bind for other attribute values, if ISE supports that.

Another option is the Duo integration the ISE team added in 3.3 P1 release: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_segmentation.html#integrate-duo-with-cisco-ise. This enables Duo for secondary without an on-premises Authentication Proxy at all, and you can continue using your direct AD LDAP connection from ISE to your domain controllers (I think?).

Duo, not DUO.

Nils 86
Level 1
Level 1

Hey @DuoKristina  thanks for your response!

to your first option, coud i use the ISE (that is connectet to the domain) as the radius client?

to the second, i need to talk to an ISE expert.. i hoped that the ise starts a second session for the authorization session.

the integration from the DUO proxy in ISE is very interesting, thanks for your notive!

regards Nils

@DuoKristina  the option to use the ISE a the Radius Client, works! thanks for your help! regards Nils

 

Glad that worked for you!

Duo, not DUO.
Quick Links