Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
0
Replies

anyconnect TFA with Duo and ISE

MichaelKim24362
Level 1
Level 1

‎09-20-2020 03:28 PM

Hello,

I have a task as below, but encountered an issue. Please help me.

Task: Anyconnect user uses two factor authentication, Duo and ISE internal account

Scenario: AAA on ASA points to Duo Proxy server and Duo Proxy server authenticates to ISE radius server with internal user account. There is no Active Directory authentication.

Issue: ISE log shows "5405 radius request dropped".

 

When AAA on ASA points to directly ISE, it works well and assign group policy appropriately.

However, when AAA on ASA points to Duo Proxy server, authentication does not work.

 

I think that radius attribute type does not match between duo proxy and ISE radius because I remember that the log on ISE said data type(?) or radius attribute type(?) does not match.

The Duo Proxy server is registered on ISE with basic profile(?) as "cisco"

Is there anything I need to do?

 

Most scenario from internet uses Active Directory as an external authentication, but my case is not.

Please help.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents