cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users

1372
Views
40
Helpful
0
Comments

Overview:

In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication proxy. The proxy will check AD and if the authentication is successful, the end user/admin will be send a "Duo Push." If the AD authentication fails, then the process will stop and no "Duo Push" will occur.

Note: For integration with Duo, ISE and local (ISE) datastore, please visit the following link:

https://community.cisco.com/t5/security-documents/draft-duo-mfa-integration-with-ise-for-tacacs-device/ta-p/3882063

Detailed Steps:

  1. Admin user initiates a shell connection to a network device where he/she uses Active Directory based credentials
  2. Network device forwards the request to the TACACS+ server (ISE)
  3. ISE sends the authentication request to Duo's Authentication Proxy
  4. The proxy forwards the request to Active Directory for the 1st factor authentication
  5. Active Directory informs the Authentication Proxy if the authentication was successful
  6. Upon successful AD authentication, the Authentication Proxy sends an authentication request to Duo cloud for 2nd factor authentication
  7. Duo cloud sends a "push" to the admin user
  8. Admin user "approves" the "push"
  9. Duo informs the Authentication Proxy of the successful push
  10. Authentication proxy informs ISE of a successful Authentication
  11. ISE Authorizes the admin user

ISE with DUO with AD.jpg

Assumptions:

  • You have good/solid understanding of AAA concepts and configurations
  • Your network access devices (Routers, Switches, Firewalls, etc) are already configured for AAA (TACACS+) with ISE
  • The ISE deployment is already integrated with Active Directory
  • The ISE deployment is properly licensed

Components Used:

  • Active Directory running on Microsoft Server 2016
  • Cisco ISE running on version 2.6 - patch-1
  • Duo Authentication Proxy version 3.0.0 running on Windows 10 and Ubuntu 18

Step-1 - Duo System Configuration

  • Login to your Duo account and click on "Applications"
  • Search for "RADIUS" and click "Protect This Application"
  • In a notepad copy and paste your Integration Key, Secret Key and API Hostname

Step-2 - Download, Install and Configure Duo's Authentication Proxy

  • Download the latest Duo Authentication Proxy from this URL:
  • https://duo.com/docs/authproxy-reference
  • Install the authentication proxy on your Windows or Linux machine (Installation Instructions are available in the link above). In this example, I have installed the primary Authentication Proxy on a Windows 10 machine while the secondary was installed on Ubuntu
  • Configure the proxy by editing the authproxy.cfg file:
[ad_client] 
host=1.2.3.4 >>> IP Address of Primary AD Server
host_2=4.3.2.1 >>> IP Address of Secondary AD Server
service_account_username=duoservice >>> AD Service Account
service_account_password=password1 >>> AD Service Account Password
search_dn=DC=example,DC=com >>> AD Base information
!
[radius_server_auto]
ikey=xxxxxxxxxxxxxx >>> Your integration key (Step-1)
skey=xxxxxxxxxxxxxx >>> Same as above
api_host=xxxxxxxxxxxxxx >>> Same as above
radius_ip_1=10.1.1.1 >>> IP address of primary ISE PSN
radius_secret_1=xxxx >>> AAA secret
radius_ip_2=10.1.1.2 >>> IP address of secondary ISE PSN
radius_secret_2=xxxx >>> AAA secret
failmode=safe
client=ad_client >>> Instructs the proxy to use AD for 1st factor authentication
port=1812 >>> RADIUS Port
  • Start the proxy server(s) and check the proxy logs for any configuration/connectivity errors:
  • Note: In Windows installations, make sure that the Windows Firewall is configured to allow connections for the authentication proxy:

Windows Firewall.jpg

Step-3-Configuring ISE:

Add Duo's Authentication Proxies

  • Go to Administration > Identity Management > External Identity Sources > RADIUS Token > Click Add
    • Give it a name
    • Under the "Connection" tab, add the information from the Duo Primary and Secondary (If applicable) Authentication Proxies
    • Make sure that the "Shared Secret" matches what you defined in Step-2
    • Change the "Server Timeout" to a value of 30 seconds or greater in order to avoid RADIUS timeouts
    • Click "Save"

Create Identity Source Sequence

  • While on the same page, click on "Identity Source Sequences" and then click "Add"
    • Give it a name
    • Add the newly created RADIUS Token Server and your AD-Joint point to the "Selected" column in the "Authentication Search List"
    • Click "Save"

2019-06-28_20-49-36.png

Create Device Admin Policies

  • Navigate to "Work Centers > Device Administration > Device Admin Policy Sets"
  • In this example, I have created a Policy Set that matches on both protocols (RADIUS and TACACS+) with the "Allowed Protocols" set to "Default Device Admin"

2019-06-28_21-01-51.png

  • Inside my policy set, I have the following policies:
    • Authentication:
      • Default rule set to check the "Identity Source Sequence" that we defined in the steps above which contains the RADIUS Token Servers (Duo Authentication Proxies) and Active Directory:

2019-06-29_11-39-49.png

    • Authorization:
      • Here I have a rule that checks if the authenticated user belongs either the "Domain Users" or "NS-ISE-IOS-Admins" groups that I have configured in AD. If the user belongs to one of these groups then I am returning back my pre-configured "Command Sets" and "Shell Profile."

2019-06-29_11-54-11.png

 

Step-4-Add and onboard users in Duo

  • Here you can configure Duo automatically sync with your Active Directory. However, this is out of scope for this document and the process that I am showing here is for manual creation of the user
  • In the Duo console go to "Users > Add Users"
  • The username here must match the username that exist in your Active Directory. In my example here, I am working with the username of "nspasov"

2019-06-29_12-06-13.png

Step-5-Testing

  • Initiate connection (ssh or telnet) from a network device that is already added in ISE
  • Use the AD credentials for the admin user
  • Upon successful authentication, confirm that the user received a Duo Push
  • After approving the Duo Push, the admin user should be now authenticated and authorized
  • Your TACACS+ live logs in ISE should show Authentication requests against the Duo Authentication Proxies
  • You can check the "authproxy" log file in your Authentication Proxy for any errors/issues