Solved: AnyConnect Cert Authent. via ISE and DUO

Denis_Emissar · ‎12-20-2022

Hi,
We want to enable Certificate only Authentication with smart card. FTD takes username from cert forwards it to ISE(RADIUS), ISE forwards it to DUO-proxy. DUO should check that username in AD, and after that user should receive DUO PUSH on the phone. Authorization proceed on the ISE.
The issue is the next: when FTD forwards username via radius the field “password” is empty, so when DUO try to check that user, an error is occured, because that field musn’t be empty.

The same problem was described there (AnyConnect Certificate authentication via ISE and DUO Proxy - #3 by gbercsenyi), but solutions isn’t work for our situation.

Denis_Emissar · ‎12-22-2022

Hello,
Finally the solution of our case is:
We enabled [duo_only_client] on the DUO-Proxy, which is already exist like [ad_client].
Config looks like:
[ad_client]
[duo_only_client]
[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip=****
radius_secret=****
failmode=safe
client=ad_client
port=1812

[radius_server_auto2]
ikey=****
skey=****
api_host=****
radius_ip=****
radius_secret=****
failmode=safe
client=duo_only_client
port=1814

Splitting task solved next way: On ISE Administration-Network Resources-External RADIUS Seqences just added another radius server. In Radius Server Sequences added another sequence with that well-known new server.

View solution in original post

raphka · ‎12-20-2022

Hi Dennis_Emissar,
Welcome to the Duo community!

The certificate does not carry user password information, so when the proxy attempts to validate the user credentials against your directory using LDAP this will fail.

The solution here is to have ISE perform primary authentication itself and only contact the proxy for secondary authentication. Essentially this is split authentication, where the proxy is only responsible for 2FA and the ISE is responsible for 1FA.

This is achieved by using the Duo Only configuration in the proxy that can be located in the docs below, to ensure that Duo is only responsible for the 2FA portion of the authentication:

If you run into any challenges with the Duo portion of this configuration, or with the overall concept, I recommend you reach out to support@duosecurity.com for assistance.

Denis_Emissar · ‎12-21-2022

Hello,
Thank you for the reply.

Your solution seems good, but there is another question:
We have configured Duo-proxy like ad_client, so that proxy makes 1FA and 2FA. Can we configure proxy like ad_client and duo_only_client simultaneously and split users somehow, or we need create second proxy-server?

Denis_Emissar · ‎12-22-2022

Hello,
Finally the solution of our case is:
We enabled [duo_only_client] on the DUO-Proxy, which is already exist like [ad_client].
Config looks like:
[ad_client]
[duo_only_client]
[radius_server_auto]
ikey=****
skey=****
api_host=****
radius_ip=****
radius_secret=****
failmode=safe
client=ad_client
port=1812

[radius_server_auto2]
ikey=****
skey=****
api_host=****
radius_ip=****
radius_secret=****
failmode=safe
client=duo_only_client
port=1814

Splitting task solved next way: On ISE Administration-Network Resources-External RADIUS Seqences just added another radius server. In Radius Server Sequences added another sequence with that well-known new server.