Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5976
Views
1
Helpful
9
Replies

ISE 2.1 with Duo 2 Factory

Eric Zuvic
Cisco Employee
Cisco Employee

‎09-27-2016 03:51 PM

Do we know if ISE works with Duo's 2 Factory solution.  I did see a reference on there site where they stated they support ISE but no integration guides.  

9 Replies 9

Alex Martin
Level 1
Level 1

‎01-11-2017 07:08 PM

Has anyone attempted this yet?  As Eric stated above, Duo states and their website that it is compatible with ISE but I have yet to find a guide to show all the integration works. I have a customer that is interested in doing this and need to know if anyone out there has configure this yet.

0 Helpful

Jacob Gibb
Level 1
Level 1
In response to Alex Martin

‎01-12-2017 08:49 AM

I'm looking for the same thing and reached out to support. They 'said' they will open a case and send the documentation guide. I'll update if received.

0 Helpful

Alex Martin
Level 1
Level 1
In response to Jacob Gibb

‎01-12-2017 09:01 AM

I'm testing right now with a customers ISE 2.0 using Duo and TACACS.  I was not involved with the setup of Duo.  I am somewhat successful.  Here is what I found out so far.

When Duo is setup, there is a configuration file created in the Program files folder (c:\program files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg).  This file contains the radius shared secret as well as the IP addresses that were (I'm assuming here) created when Duo was setup.  In ISE, you need to add Duo as a RADIUS Token in Administration > Identity Management > External Identity Sources. Use the shared secret found in the authproxy.cfg file to configure the connection to the Duo server when you create a new RADIUS Token Identity Source.  In my testing, I've left everything pretty much default with the exception of the server timeout.

So far, I've only tested with TACACS, but it appears to just use RADIUS to communicate back and forth.  The test I setup was with a 5505 WLC and it works (sometimes).  I am not sure if there is some kind of timeout going on, but it seems like if I get the request from Duo and hit it straight away, it works, but if I wait more than a second or two after I get the Push notification from Duo on my phone, then the Authentication passes, but it never proceeds to Authorization.  Could just need some more tweaking on timeout values.

I'll update when I've tested more.

Alex    

0 Helpful

Jacob Gibb
Level 1
Level 1
In response to Alex Martin

‎01-12-2017 10:55 AM

I heard back from DUO support and essentially it looks like they are still requiring the DUO proxy to be installed but ISE is the NAD in this case not the ASA?

ISE Duo Integration Steps

  1. 1.    Sign up for a Duo account.
  2. 2.    Log in to the Duo Admin Panel and navigate to Applications.
  3. 3.    Click Protect an Application and locate RADIUS in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. See Getting Started for help.
  4. 4.    Install the Duo Authentication Proxy.
  5. 5.    Configure the Proxy:

[ad_client]
host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=cn=Users,dc=example,dc=com

[radius_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
radius_ip_1=<IP Address of the ISE>
radius_secret_1=thisisalsoaradiussecret
client=ad_client
port=1812
failmode=safe

 

  1. 6.    Start the AuthProxy: net start DuoAuthProxy
  2. 7.    Login to Cisco ISE.
  3. 8.    Go to Administrators > External Identity Sources > RADIUS Token and select Add.
  4. 9.    Select Connection and then  enter in IP Address of the AuthProxy Server, and Shared Secret of the AuthProxy server.  Change the server timeout to 60 seconds and select Save.
  5. 10. Now change your Authentication Policy to use the External Identity Source you created for Duo.  This is done under Policy > Authentication.


ISE Troubleshooting

In the web interface, choose Operations > RADIUS LiveLog.  This will show you all the RADIUS Authentications for the past 24 hours.  Clicking on the magnifying glass will take you to the authentication details for a request you are troubleshooting.



0 Helpful

Richard Lucht
Level 1
Level 1
In response to Jacob Gibb

‎11-30-2017 12:49 PM

I would like to give this a try, did you get this to work and do I need the ad_client?

0 Helpful

don.click1
Level 4
Level 4
In response to Jacob Gibb

‎09-09-2019 01:38 PM - edited ‎09-09-2019 01:40 PM

we used ISE as a radius server, but with Active Directory as our external ID source. Now I need to "insert" DUO in the mix for 2 factor.

when you set this up, does it still allow you to use the Authorization profiles from ISE to set Radius attributes? 

things like: 

Access Type = ACCESS_ACCEPT
CVPN3000/ASA/PIX7x-IPSec-Group-Policy = <AD_Group>

Framed-IP 

etc?

 

 

0 Helpful

BrianEschen
Level 1
Level 1

‎02-14-2017 02:14 PM

We are also trying to get this working. We want to use local ISE user/groups. We have the Duo proxy added as External Radius Token...

We have the proxy setup and I can get a Duo push but can't get the ISE authentication part working.


Would love to know if anyone else has had it work. We are going to open a ticket with Tac and see if they will be of any help.

0 Helpful

Richard Lucht
Level 1
Level 1
In response to BrianEschen

‎12-11-2017 09:02 AM

Did you get this working?  I am trying to use DUO as a multi factor for access to network devices.  I am having trouble getting ISE and the Auth proxy to communicate properly.  I can see info in the log of the authproxy when I test and failures on ISE.  Something about either a bad password or wrong key.  the key matches everywhere and i know the password is correct.  In Duo I get this error "[RadiusClient (UDP)] dropping packet from 10.200.1.30:1812 - response packet has invalid authenticator"  Duo says it has to do with my ISE configuration.

0 Helpful
Customers Also Viewed These Support Documents