About asdraper

asdraper · 12-18-2024

I have recently found that the way our ISE was set up, we have one Active Directory Join Point, pointing to a global catalog server so that we can authenticate users across multiple domains with trusts. Now, we have users with active accounts in the...

asdraper · 05-02-2024

Now that LDAPS to Duo Cloud has been deprecated, is there still a way to protect VPN access to a Cisco ASA using logins that are local accounts on the ASA? And is it possible to do without a proxy server in the middle? Everything I have found point...

asdraper · 03-27-2024

I am creating Deployment Profiles from Secure X in order to push Secure Client (and our modules) to workstations and servers. The deployment profile for workstations works as expected, whether using a Full Installer or Network installer. I am now t...

asdraper · 11-16-2023

We are trying to get Duo SSO working to protect ASA VPN logins across multiple domains. Our ASA can obviously authenticate users across domain names, and I have a SAML to Duo auth working in our primary domain. As I add other domains, though, I hav...

asdraper · 12-24-2024

Is there any way I can break the trust / prevent one domain join point from looking for accounts in other domains that have a trust?I set up a new AD join point, and the account that was previously getting grabbed by the wrong domain and coming back ...

asdraper · 12-19-2024

I misspoke a bit earlier. The AuthC is actually passed from the ASA to Duo, then when the user account passes AuthC then the ASA is set to hand it off to ISE for AuthZ.

asdraper · 12-19-2024

Understood - I am cleaning up the setup that a vendor did for us years back and I suspected as much. They made one join point and added the Domain Users group so everyone got swept up into one big rule. I am attempting to break it all apart again. ...

asdraper · 12-19-2024

Our AuthC is happening on the ASA, then passed to ISE for AuthZ. I have the Identity groups built with rules associated with them. The issue is it appears that the disabled user account is being found first and it fails the Authorization as being d...

asdraper · 05-02-2024

Ah, that's what I was hoping to avoid. So LDAP should still technically work, but it does not sound like there is a supported method of authenticating directly from ASA local accounts to Duo without a Proxy server in between.

Member Since	‎10-23-2023 10:34 AM
Date Last Visited	‎12-30-2024 01:44 PM
Posts	11

User Statistics

User Activity

Best Practices for using ISE Authorization across multiple domains

ASA VPN using local logins and Duo

Cisco Secure Client Module not installing Windows Server 2022

Duo SSO with multiple Domains

Re: Can we join Single Cisco ISE node to multiple Active Directory For

Re: Best Practices for using ISE Authorization across multiple domains

Re: Best Practices for using ISE Authorization across multiple domains

Re: Best Practices for using ISE Authorization across multiple domains

Re: ASA VPN using local logins and Duo