Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
1
Replies

Failed Identity Sync Status in ISE with integrated DUO

a.maldonado
Level 1
Level 1

‎10-24-2024 05:11 AM - edited ‎11-01-2024 11:20 PM

Hi, I hope someone can help me solve a Failed Identity Sync Status when trying to enable the DUO functionality in ISE v3.3.

I recently upgraded ISE from v3.1 to v3.3 and applied patch 3. I was then made aware of a bug in patch 3 and was asked to apply the hot patch ise-apply-CSCwk79546_3.3.0.430_patch3-SPA.tar, which I did with no problem.

I then follow the instructions in this document to the letter. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-33/221232-configure-ise-3-3-native-multi-factor-au.html

However, at the end of this process I ended up with a Failed Identity Sync Status in the Identity Sync of the External Identity Sources.

When I pasted the keys and API name from DUO and tested the connection it said the keys were valid.

Please also note that the previous way of using DUO is still enabled. We are still using the external Proxy. I didn’t disable this way because I wanted to test the integrated DUO first.

ISE still has connectivity with our domain controller which is why the policy sets are still working with the groups originally imported.

Can someone help me understand why the Failed Identity Sync Status message please and or how to troubleshoot it.

When I click on the FAILED output it says No Data Found.

Configure Identity Sync. This process synchronizes users from the Active Directory groups you select into Duo Account using API credentials provided earlier. Select Active Directory Join Point. Click on Next.

0 Helpful
1 Reply 1

a.maldonado
Level 1
Level 1

‎11-01-2024 11:07 PM

Following on from my last post I have managed to narrow down the cause of the problem. As mentioned in my original post, we already had DUO working with a proxy and the users were manually created in DUO in the DUO production account.

I decided to open a free DUO account and test with that one. The result was that Identity Sync in ISE immediately returned the success result. I managed to use DUO in the policy sets for TACACs and received the MFA message on my app every time I logged on to a network device. This is how I expected it to work, so no problem here.

So, the above test tells me there is something wrong in our DUO production account that prevents ISE to complete the Identity Sync process successfully. I suspect it has something to do with us manually creating the users in the DUO account. Can anyone suggest what debug can I use in ISE to see what is happening and how to see the debug file created. 

Alternatively, how could I clear the users created in the DUO production account and if required put them all back again without having to cerate one by one again.

Any help will be much appreciated.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents