In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication proxy. The proxy will check AD and if the authentication is successful, the end user/admin will be send a "Duo Push." If the AD authentication fails, then the process will stop and no "Duo Push" will occur.
Note: For integration with Duo, ISE and local (ISE) datastore, please visit the following link:
Install the authentication proxy on your Windows or Linux machine (Installation Instructions are available in the link above). In this example, I have installed the primary Authentication Proxy on a Windows 10 machine while the secondary was installed on Ubuntu
Configure the proxy by editing the authproxy.cfg file:
[ad_client] host=188.8.131.52 >>> IP Address/FQDN of Primary AD Server host_2=184.108.40.206 >>> IP Address/FQDN of Secondary AD Server service_account_username=duoservice >>> AD Service Account service_account_password=password1 >>> AD Service Account Password search_dn=DC=example,DC=com >>> AD Base information ! [radius_server_auto] ikey=xxxxxxxxxxxxxx >>> Your integration key (Step-1) skey=xxxxxxxxxxxxxx >>> Same as above api_host=xxxxxxxxxxxxxx >>> Same as above radius_ip_1=10.1.1.1 >>> IP address of primary ISE PSN radius_secret_1=xxxx >>> AAA secret radius_ip_2=10.1.1.2 >>> IP address of secondary ISE PSN radius_secret_2=xxxx >>> AAA secret failmode=safe client=ad_client >>> Instructs the proxy to use AD for 1st factor authentication port=1812 >>> RADIUS Port
Start the proxy server(s) and check the proxy logs for any configuration/connectivity errors:
Note: In Windows installations, make sure that the Windows Firewall is configured to allow connections for the authentication proxy:
Add Duo's Authentication Proxies
Go to Administration > Identity Management > External Identity Sources > RADIUS Token > Click Add
Give it a name
Under the "Connection" tab, add the information from the Duo Primary and Secondary (If applicable) Authentication Proxies
Make sure that the "Shared Secret" matches what you defined in Step-2
Change the "Server Timeout" to a value of 30 seconds or greater in order to avoid RADIUS timeouts
Create Identity Source Sequence
While on the same page, click on "Identity Source Sequences" and then click "Add"
Give it a name
Add the newly created RADIUS Token Server and your AD-Joint point to the "Selected" column in the "Authentication Search List"
In this example, I have created a Policy Set that matches on both protocols (RADIUS and TACACS+) with the "Allowed Protocols" set to "Default Device Admin"
Inside my policy set, I have the following policies:
Default rule set to check the "Identity Source Sequence" that we defined in the steps above which contains the RADIUS Token Servers (Duo Authentication Proxies) and Active Directory:
Here I have a rule that checks if the authenticated user belongs either the "Domain Users" or "NS-ISE-IOS-Admins" groups that I have configured in AD. If the user belongs to one of these groups then I am returning back my pre-configured "Command Sets" and "Shell Profile."
Step-4-Add and onboard users in Duo
Here you can configure Duo automatically sync with your Active Directory. However, this is out of scope for this document and the process that I am showing here is for manual creation of the user
In the Duo console go to "Users > Add Users"
The username here must match the username that exist in your Active Directory. In my example here, I am working with the username of "nspasov"
After the user is added, you need to enroll the user with Duo. For more information on that you can reference Duo's documentation:
Greetings, First time doing ZBF configuration for brand new C1111x, and after reading posts here and on Cisco docs, with a simple target to grant users internet connection and block connections from outside to the router I did the following: int...
I am able to connect it successfully but why this error msg coming that i dont know Actually In MY setup FTD 2110 with ASA and created Two Context(ASA Firmware -ASA Version 9.12(3)12) Anyconnect Version :- 4.8.03052IN Context A i am able to connect a...
I tried to upgrade ASA 5525 via ASDM from 9.8 (asa982-smp-k8) to 9.12 (asa9-12-3-12-smp-k8) that was directly downloaded from Cisco website, unfortunately it keeps failing and i get this error message "Error writing request body to server" as be...
Hi I need to upgrade ISE from version 2.4 to version 2.7. Is there any method to downgrade to version 2.4 if required? I need to know this in case it is necessary to go back. In Cisco it is not documented if it can really be don