In this setup, ISE will forward the TACACS+ authentication requests to the Duo Authentication proxy. The proxy will check AD and if the authentication is successful, the end user/admin will be send a "Duo Push." If the AD authentication fails, then the process will stop and no "Duo Push" will occur.
Note: For integration with Duo, ISE and local (ISE) datastore, please visit the following link:
Install the authentication proxy on your Windows or Linux machine (Installation Instructions are available in the link above). In this example, I have installed the primary Authentication Proxy on a Windows 10 machine while the secondary was installed on Ubuntu
Configure the proxy by editing the authproxy.cfg file:
[ad_client] host=18.104.22.168 >>> IP Address/FQDN of Primary AD Server host_2=22.214.171.124 >>> IP Address/FQDN of Secondary AD Server service_account_username=duoservice >>> AD Service Account service_account_password=password1 >>> AD Service Account Password search_dn=DC=example,DC=com >>> AD Base information ! [radius_server_auto] ikey=xxxxxxxxxxxxxx >>> Your integration key (Step-1) skey=xxxxxxxxxxxxxx >>> Same as above api_host=xxxxxxxxxxxxxx >>> Same as above radius_ip_1=10.1.1.1 >>> IP address of primary ISE PSN radius_secret_1=xxxx >>> AAA secret radius_ip_2=10.1.1.2 >>> IP address of secondary ISE PSN radius_secret_2=xxxx >>> AAA secret failmode=safe client=ad_client >>> Instructs the proxy to use AD for 1st factor authentication port=1812 >>> RADIUS Port
Start the proxy server(s) and check the proxy logs for any configuration/connectivity errors:
Note: In Windows installations, make sure that the Windows Firewall is configured to allow connections for the authentication proxy:
Add Duo's Authentication Proxies
Go to Administration > Identity Management > External Identity Sources > RADIUS Token > Click Add
Give it a name
Under the "Connection" tab, add the information from the Duo Primary and Secondary (If applicable) Authentication Proxies
Make sure that the "Shared Secret" matches what you defined in Step-2
Change the "Server Timeout" to a value of 30 seconds or greater in order to avoid RADIUS timeouts
Create Identity Source Sequence
While on the same page, click on "Identity Source Sequences" and then click "Add"
Give it a name
Add the newly created RADIUS Token Server and your AD-Joint point to the "Selected" column in the "Authentication Search List"
In this example, I have created a Policy Set that matches on both protocols (RADIUS and TACACS+) with the "Allowed Protocols" set to "Default Device Admin"
Inside my policy set, I have the following policies:
Default rule set to check the "Identity Source Sequence" that we defined in the steps above which contains the RADIUS Token Servers (Duo Authentication Proxies) and Active Directory:
Here I have a rule that checks if the authenticated user belongs either the "Domain Users" or "NS-ISE-IOS-Admins" groups that I have configured in AD. If the user belongs to one of these groups then I am returning back my pre-configured "Command Sets" and "Shell Profile."
Step-4-Add and onboard users in Duo
Here you can configure Duo automatically sync with your Active Directory. However, this is out of scope for this document and the process that I am showing here is for manual creation of the user
In the Duo console go to "Users > Add Users"
The username here must match the username that exist in your Active Directory. In my example here, I am working with the username of "nspasov"
After the user is added, you need to enroll the user with Duo. For more information on that you can reference Duo's documentation:
I am having an issue on 3850 running 16.9.5 which is loosing sgacl information
User authenticates to the Switch and the SGACL information is downloaded
IPv4 Role-based permissions default:
IPv4 Role-based permissions from group 6:Gues...
Hi, I have an IPSEC site to site VPN between to Cisco ASA 5505 firewalls. I have managed to get the VPN tunnel to establish, however, I seem to be unable to get any traffic to flow between the sites.Network details are as follows: Site A:Network ID: ...
Objective:- To combine configurations of two separate (2.3) ISE deployment into a (2.7) new deployment.- To refresh the old deployments (2 existing deployment)Overview:There are two separate deployments, and the new deployment must have both of the config...
Join us live on Tuesday, July 14 (and on demand after) to learn what impacts COVID-19 has had on the information security landscape from one of the people living that fight.
We'll take your questions live during the show and after, so post them belo...