Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I have recently found that the way our ISE was set up, we have one Active Directory Join Point, pointing to a global catalog server so that we can authenticate users across multiple domains with trusts. Now, we have users with active accounts in the...
Now that LDAPS to Duo Cloud has been deprecated, is there still a way to protect VPN access to a Cisco ASA using logins that are local accounts on the ASA? And is it possible to do without a proxy server in the middle? Everything I have found point...
I am creating Deployment Profiles from Secure X in order to push Secure Client (and our modules) to workstations and servers. The deployment profile for workstations works as expected, whether using a Full Installer or Network installer. I am now t...
We are trying to get Duo SSO working to protect ASA VPN logins across multiple domains. Our ASA can obviously authenticate users across domain names, and I have a SAML to Duo auth working in our primary domain. As I add other domains, though, I hav...
Is there any way I can break the trust / prevent one domain join point from looking for accounts in other domains that have a trust?I set up a new AD join point, and the account that was previously getting grabbed by the wrong domain and coming back ...
I misspoke a bit earlier. The AuthC is actually passed from the ASA to Duo, then when the user account passes AuthC then the ASA is set to hand it off to ISE for AuthZ.
Understood - I am cleaning up the setup that a vendor did for us years back and I suspected as much. They made one join point and added the Domain Users group so everyone got swept up into one big rule. I am attempting to break it all apart again. ...
Our AuthC is happening on the ASA, then passed to ISE for AuthZ. I have the Identity groups built with rules associated with them. The issue is it appears that the disabled user account is being found first and it fails the Authorization as being d...
Ah, that's what I was hoping to avoid. So LDAP should still technically work, but it does not sound like there is a supported method of authenticating directly from ASA local accounts to Duo without a Proxy server in between.
