Authentication and Authorization Flow
- Admin user initiates a shell connection to a network device where he/she uses Active Directory based credentials
- Network device forwards the request to the TACACS+ server (ISE)
- ISE sends the authentication request to Duo’s Authentication Proxy
- The proxy forwards the request to Active Directory for the 1st factor authentication
- Active Directory informs the Authentication Proxy if the authentication was successful
- Upon successful AD authentication, the Authentication Proxy sends an authentication request to Duo cloud for 2nd factor authentication
- Duo cloud sends a “push” to the admin user
- Admin user “approves” the “push”
- Duo informs the Authentication Proxy of the successful push
- Authentication proxy informs ISE of a successful Authentication
- ISE Authorizes the admin user
Devices Used
- Cisco ISE version 2.6
- WLC 2504 8.5.135.0
- Windows Server 2008 R2
- Duo iOS App version 3.30.0.11
WLC Configuration
ISE configuration
Add WLC to ISE as network device and optionally assign it to a device group.
Built TACACS policy starting with Result, again this can be any way you want to configure, for simplicity, I have configured full WLC access.
Configure external radius token (adding DUO proxy server on ISE)
Make sure your AD is integrated and active
Create Identity Source sequence
Built authentication and authorization policy, again there are multiple ways to go about it, I have just done in a simple way.
DUO Configuration
Login to duo portal and choose the application you want to protect, in our case Cisco ISE, click protect this application. If you don’t have duo account, you can create a free one for 30 days.
Note down integration key, Secret Key and API hostname, you will need when configuring DUO proxy.
You will need users enrolled through DUO to authenticate, you can integrate AD group or add users manually, for convenience of this configuration, I have added myself manually. Look through DUO documentation for full user integration and bulk enrollment.
https://duo.com/docs/enrolling-users
If you have only few admins, you need access to network devices then just adding users manually should work fine. This username should match AD username or whatever name to be defined In your ISE policy to authenticate users. In my case as you will see, the user has to be part of domain admin to access device.
Download authentication proxy setup file from
https://duo.com/docs/authproxy-reference
I am using Windows Server 2008 R2 or later (Server 2016 or 2019 recommended) as authentication proxy.
Once installation is complete, configure the DUO proxy settings by editing authproxy file.
Example, the key, secret and api_hostname are the ones discussed above. Note how the port number defined is same as radius token defined on ISE.
Once setup start the Proxy service for DUO, access as administrator.
At this point the DUO proxy should be listening for connections.
You can open the log file and see the logs to verify
You can also confirm that the Proxy is able to communicate with AD and Radius
Testing
Login to WLC CLI
ISE Logs
Auth Proxy Log