Have tested using DUO with ISE2.3 and ACS 5.6 for network device access using 2FA. Here are the steps for your reference:
Setup DUO proxy server and add ISE IPs as DUO proxy clients
In ISE, add DUO as a RADIUS Token in Administration > Identity Management > External Identity Sources.
Change Server Timeout value to 30 (or other appropriate value) seconds from default to relax user input timeout under Connection tab, make sure you have the correct DUO proxy server IP address and Shared Secret value entered there. Add the secondary server info if you have HA setup for the DUO proxy servers
Add network admins under Identities > Users and Create an Identity group, such as Net Admin; add all network admin users you created under Identities to the group. Note: make sure that the user you added in pick DUO as the Password Type under Passwords
Create a policy set for network admin access with condition DEVICE: Network Device Profile EQUALS: Cisco, where Cisco includes all your Cisco network devices and this just an example for Cisco. Note: Make sure that you put the new policy set at the bottom of Policy sets if you have multiple policy sets, such as VPN clients, wireless clients, and so on since you do not want to use the same admin user names as other user names, such as AD domain user name.
Authentication Policy: set protocol match condition equal to Radius
Authorization Policy: set Identity group equal to network admin group which you have created above
Configure Cisco device AAA section
Create a Radius server group and add ISE servers under that group
Configure authentication login default group using radius with optional local after radius failed
Configure authorization commands default group using tacacs+ assuming you already have this group with ACS IPs configured.
Hi Community, We have upgraded from ISE v3.0 to v3.1 p3 and after the upgrade, we are observing that default interface for service traffic is changed to eth0, whereas, before the upgrade it was through eth1. Hoping for any resolutions on this issue.&...
I’m running into an issue with some windows 10 clients.After the clients register in the Guest portal, and a successful logon page appears, instead of getting directed to the internet the clients are getting re-directed back to register.If the clients go ...
Hi community members,
I need help here. we are using FTD 4125 physical appliance and configured SSL VPN with self-signed cert. whenever users try to connect AnyConnect, the application prompt warning that this is not trusted CA.
I do not want to pu...
I am installing an Exchange server behind an FPM 1010 running FDM. I have a public ip natted to internal. When I do a "What is my IP" from the exchange server console, I get the public ip of the FPM 1010. What do I need to change in the 1...
We are going to upgrade a ASA & ASDM Firmwares on a Firepower 2120 device.
We'd like to know if the current Firepower firmware will be compatible with the ASA & ASDM Firmwares which we are going to install.
ASA & ASDM Firm...