Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
252
Views
0
Helpful
3
Replies

Wlan + ISE portal + single factor: DUO Cloud

Rafael Rubik
Level 1
Level 1

‎05-27-2025 06:49 PM

Hello !

This is my first experience with DUO. My goal is to configure a corporate WLAN with single-factor authentication using Duo Cloud. When connecting, the client is redirected to an ISE portal (Sponsor?). This portal then invokes DUO for authentication. A few questions have come up:

Appliances: ISE 3.4 + WLC 9800

1. Is it possible to implement this design?

2. The client claims it is possible and that a DUO proxy is not required. Is that correct?

3. Is an ISE portal required? Or is it possible to redirect directly to Duo Cloud?

4. If required, what type of portal should I use — Sponsor?

5. How do I create the REDIRECT ACL? I believe it must allow FQDNs (*.duosecurity.com) or maybe use URL Filter on the WLC.

Do you have any links or guides that can help with this implementation?

Thank you,
Rafael

 

0 Helpful
3 Replies 3

Aref Alsouqi
VIP
VIP

‎05-28-2025 01:33 AM

Duo proxy is not required anymore starting from version 3.3 patch 1 as you can enable native MFA on ISE. Please check this link, it is more for VPN connections, however, in your case you just need to forward the authentication requests from the WLC to ISE, all the remaining configs should be the same:

Configure ISE 3.3 Native Multi-factor Authentication with Duo - Cisco

0 Helpful

Rafael Rubik
Level 1
Level 1
In response to Aref Alsouqi

‎05-28-2025 10:33 AM

Hello Aref, 

Thank you for your response. I completed all the configurations and reached the following point: The client connects to the WLAN and nothing happens (the redirect doesn’t work). But the client is visible on the WLC, I can see that it receives the correct VLAN and the redirect URL. If we manually enter the redirect URL into the browser, the DUO portal appears, we can enter the email/password, and the connection is allowed.

The redirect ACL includes 3 IPs from DUO. I also believe there are no more firewall blocks. I created a permit URL Filter (*.duo.com, *.duosecurity.com) on the WLC and associated it with the flex group, but it didn’t works.

Tks

0 Helpful

Aref Alsouqi
VIP
VIP
In response to Rafael Rubik

‎05-29-2025 03:34 AM - edited ‎05-29-2025 03:34 AM

Hello Rafael. What do you see on ISE logs for that session? the only thing come to mind that might cause this issue is CoA. Do you have it enabled on the WLC and ISE?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents