Authentication and Authorization Flow

  1. Admin user initiates a shell connection to a network device where he/she uses Active Directory based credentials
  2. Network device forwards the request to the TACACS+ server (ISE)
  3. ISE sends the authentication request to Duo’s Authentication Proxy
  4. The proxy forwards the request to Active Directory for the 1st factor authentication
  5. Active Directory informs the Authentication Proxy if the authentication was successful
  6. Upon successful AD authentication, the Authentication Proxy sends an authentication request to Duo cloud for 2nd factor authentication
  7. Duo cloud sends a “push” to the admin user
  8. Admin user “approves” the “push”
  9. Duo informs the Authentication Proxy of the successful push
  10. Authentication proxy informs ISE of a successful Authentication
  11. ISE Authorizes the admin user

1

Reference: https://community.cisco.com/t5/security-documents/duo-mfa-integration-with-ise-for-tacacs-device-administration/tac-p/3951156#M6538

Devices Used

  • Cisco ISE version 2.6
  • WLC 2504 8.5.135.0
  • Windows Server 2008 R2
  • Duo iOS App version 3.30.0.11

WLC Configuration

abc.jpgd

ISE configuration

Add WLC to ISE as network device and optionally assign it to a device group.

1.png

Built TACACS policy starting with Result, again this can be any way you want to configure, for simplicity, I have configured full WLC access.

2Configure external radius token (adding DUO proxy server on ISE)

3Make sure your AD is integrated and active

4Create Identity Source sequence

5

Built authentication and authorization policy, again there are multiple ways to go about it, I have just done in a simple way.67.png

DUO Configuration

Login to duo portal and choose the application you want to protect, in our case Cisco ISE, click protect this application. If you don’t have duo account, you can create a free one for 30 days.

8

Note down integration key, Secret Key and API hostname, you will need when configuring DUO proxy.

9

You will need users enrolled through DUO to authenticate, you can integrate AD group or add users manually, for convenience of this configuration, I have added myself manually. Look through DUO documentation for full user integration and bulk enrollment.

https://duo.com/docs/enrolling-users

If you have only few admins, you need access to network devices then just adding users manually should work fine. This username should match AD username or whatever name to be defined In your ISE policy to authenticate users. In my case as you will see, the user has to be part of domain admin to access device.

10

Download authentication proxy setup file from

https://duo.com/docs/authproxy-reference

I am using Windows Server 2008 R2 or later (Server 2016 or 2019 recommended) as authentication proxy.

11

Once installation is complete, configure the DUO proxy settings by editing authproxy file.

121314

Example, the key, secret and api_hostname are the ones discussed above. Note how the port number defined is same as radius token defined on ISE.

15

Once setup start the Proxy service for DUO, access as administrator.

16

At this point the DUO proxy should be listening for connections.

You can open the log file and see the logs to verify

1718

You can also confirm that the Proxy is able to communicate with AD and Radius

19

Testing

Login to WLC CLI

2021

ISE Logs

22

Auth Proxy Log

23