Hi all,
I’m working on a lab setup to test Duo MFA integration with Cisco ISE for admin access to the Web GUI. My environment is entirely virtual and consists of the following three virtual machines:
-
Active Directory (AD) – Windows Server with users created and configured.
-
Duo Authentication Proxy – Installed and running with proper integration to AD 6.5.0 version of Duo authentication proxy.
-
Cisco ISE – Version 3.4.0.608, configured to use AD as the external identity source.
Here’s what I’ve done so far:
-
Successfully integrated Cisco ISE with Active Directory.
-
Installed and configured the Duo Authentication Proxy to communicate with both ISE and AD.
-
Followed the official Duo documentation for integrating Cisco ISE with Duo via RADIUS: https://duo.com/docs/ciscoise-radius
My goal:
Only AD users with admin privileges who log into the ISE Web GUI should receive Duo Push notifications for two-factor authentication.
My issue:
The Duo integration seems geared toward remote VPN or ASA/FTD use cases. In my lab, I’m not using any VPN, ASA, or FTD devices—just local web access to the ISE GUI. I’m not seeing Duo Push notifications when AD admin users log into the ISE web interface.
Has anyone configured Duo MFA directly for Cisco ISE Web GUI logins with AD users, without involving ASA, FTD, or VPN? I would appreciate any guidance or insight into how to make this work in a lab environment.
Thanks in advance!
