Thank you very much for adding your notes for ISE/ ACS integration with Duo.

I will add this to the 2FA community page.

Two Factor Authentication on ISE – 2FA on ISE

-Krishnan

Thank you so much for sharing. I am currently deploying ISE 2.3 in our network and definitely TACACS+ is a key component of that deployment. We are also looking into deploying DUO, I am new to DUO and 2FA so with this setup regardless if its an on or off campus access 2FA will always occur?

It's the same way as any of the other services. It's depending on your setup, using privatr or public IP for the Duo proxy servers

Thanks,

Song

Sent from my iPhone

what about if they want to use the PIV/CAC card for user authentication form VPN users, can that be done using ISE?

is this a specific ask for this product or a general question? if the latter please post a new question with the deep details and product you're asking about

I am seeing conflicting designs out here!

I see a design were the ASA points to ISE and then ISE points to Duo Proxys. Duo proxy is setup as RADIUS TOKEN and ISE is setup as RADIUS server in duo config.

I am having lots of issues with this config. I have also figured out that with this configuration, if the user is configured in AD but NOT duo they still authenticate to the vpn. I assume this is because the ASA looks to ISE and if ISE says its good then it sends it back to the ASA and the user auths freely without the intervention of DUO. If ASA points to DUO then DUO does the first check for the user in DUO. Am I right in that thinking?

Then I see designs that say ASA points to DUO proxy and DUO proxy points to ISE and ISE servers are radius clients in the DUO config.

I have not tried this but here are the issue with that:

ASA will only point to a single DUO proxy so single point of failure there, so I can see putting DUO proxys behind a F5 VIP and use it that way. But I am issues with that on its own due to the fact that the DUO proxy is a service, so if the service is down but the node can answer icmp its still "UP" and never fails over to secondary DUO Proxy or takes the primary offline. 

Hi Mountain Man this just about worked for me but here are my findings still got this working though slightly different method.

I had a look at the ACS/ISE guide which is also shared by duo. I ran into an issue with ISE 2.4 Patch 5. When I added an external ID source I got a lot of error 401 in the DUO proxy log. Our initial login to the devices was via RADIUS not TACACS. 

I fixed the issue by configuring the DUO auth proxy as an external radius server with timeout of 60 seconds.

Configured a radius server sequence pointing to the new external RADIUS server. 

In the advance options select continue to Authorization policy on access acept

Configured the policy set in ISE to reference the external RADIUS server sequence.

Configured authorization polices as required with different levels of access.

Hope this helps anyone who is struggling to get ISE working with RADIUS MFA from network device. I also believe this would work for other RADIUS base logins via ISE.

I have moved to a completely different design that I have worked with Cisco and DUO with and we have decided it was the best design for my scenario. 

In my scenario we moved to the Cisco ASA doing the authentication (DUO Only) to the DUO API in the Cloud. This was used as secondary authentication and then primary authentication was to Cisco ISE for AD and dACL. 

The issue with using ASA -> ISE -> Duo Proxy is we has major timing issues with the push method to people phones. It was causing lock outs consistently so we needed a new solution. 

Then we tried ASA -> DUO Proxy -> ISE. The issue here was CoA. I couldn't get users assigned to the correct dACL and I think the issue was the DUO Proxy couldn't pass the CoA packet to the ISE server. 

So that lead us to ASA doing the auth to both ISE and DUO. It has cleared up the timing issues and has removed 2 Duo Proxies from my VMware environment. 

ISE is primary Authentication and DUO-LDAP is secondary authentication