Support Group Policies with DUO MFA to Secure AnyConnect Integrated with ISE

by Jeff Thurston

DUO is a fantastic product. The integration is very simple and the product works well, especially the user experience. There is one place which is severely lacking however and that is documentation for what I would consider the proper integration of Duo with ISE.

There are various methods documented, I’ve tried them all. They either do not provide the log detail I required, event details are split among platforms and make correlation tedious or you lose important capabilities in ISE.

Seeing this lack of documentation for the process which I came up with I decided to write it up for everyone to use themselves – or even better for someone to find problems with so we can further refine the configuration. So… down the rabbit hole we go, and it’s going to be deep this time.

This is how Duo tells you to do it. It does work but only the bare necessities.

Reference: duo.com

With this configuration you lose the ability to query Active Directory for groups which the AnyConnect user is a member of. This is because the Duo proxy is incapable of providing this information to ISE, even with the garbage-in/garbage-out option enabled on the proxy it can only return verbatim from an upstream RADIUS server… and this is Active Directory so those attribute bits are not present.

Take a look at this and I’ll explain in detail how it’s done.

So what’s different about this from what DUO has documented?

We are using an Identity Source Sequence in ISE. This allows us to query both sources; Active Directory and the Duo Proxy/Duo Cloud, basically at the same time and receive complimenting information from both. It also allows for us to differentiate [in the ISE Live Log] between bad passwords and a rejected DUO second factor by the user. The query from ISE to Active Directory will return the groups, which the user is a member of. We can then match this in our ISE Authorization Conditions.

For example if the user is a member of the AD group “VPN-DevOps” then we create a condition in ISE which matches, then returns the result to the ASA with the appropriate information using RADIUS Class (attribute 25) “VPN-DevOps” which will match to a group-policy configured in the ASA…  “VPN-DevOps”. This way we can specify different vpn-filter value access-lists, webvpn options, DNS, DHCP and so on. You simply create an ASA group-policy for each variation of group you have. This is especially useful because you are then controlling what users can access AnyConnect… otherwise it’s ALL users found in AD, including service accounts.

Obviously you need to also have the user registered with Duo and you wouldn’t be placing your service accounts there. My point is however, this is something you should be doing in your AnyConnect configuration PRIOR to Duo and once you bring Duo along you should not be changing your process. Merely adding to it.

Let’s assume you have a working ISE installation which is already integrated with Active Directory. Add the Duo proxy as an External RADIUS Token Server. In ISE go to;

Administration –> Identity Management –> External Identity Sources. Select “RADIUS Token”. Click “Add”.

Fill in the information from the Duo Proxy such as IP address, shared secret, etc.

You can specify multiple here, the limit is 2 (primary, secondary), but there’s not much stopping you from having multiple entries and listing each in the identity sequence.

Configure your Duo Proxy to accept authentication requests from both ISE nodes or however many Policy Services Nodes you happen to have. The following is an example authproxy.cfg file for reference. The proxy is also configured to authenticate against Active Directory, and of course also requires the Integration Key, Secret Key, and API URL. 

; AD is the identity stores/source
[ad_client]
host=172.y.y.y
host_2=172.y.y.y
service_account_username=service-account
service_account_password=service-password
search_dn=DC=windowsdomain,DC=local

; ISE servers listed here as RADIUS clients
[radius_server_auto]
ikey=xxxxxx
skey=yyyyyy
api_host=api-abcxyz.duo.com
radius_ip_1=172.x.x.x
radius_secret_1=********
radius_ip_2=172.y.y.y
radius_secret_2=********
client=ad_client
port=1812
failmode=safe

; Enable debugging while testing
[main]
debug=true 

Now that we have the proxy running (make sure it starts properly in services.msc after any changes to the configuration file) it’s time to configure ISE for Active Directory which will be used as part of the Identity Source Sequence. You should already be familiar with joining ISE to a Windows Domain, if not, it is pretty simple.

Navigate to Administration > Identity Management: External Identity Sources.

On the left hand side panel, open Active Directory and click Add.

Fill in your domain information, Join Point Name is just a label, Active Direcory Domain is the actual FQDN you are responsible for. Upon submitting you will be prompted for username & password of an account with permission to join workstations to the domain.

Now we just need to tell ISE about the interesting groups in AD we want to use. Simply select your domain under Active Directory on the left and then go to the Groups tab. Click Add and Select Groups from Directory.

Enter your search, in my case I just want “Domain Users” but you can of course create dedicated groups in AD and then put your VPN users in that group. When finished click OK.

Repeat as necessary.

Now go to Administration > Identity Management; Identity Source Sequences.

Click Add to create a new sequence and setup the sequence as follows:

From the Available sources; select your RADIUS Token Server (Duo Proxy) followed by your AD join point.

The order is important. Duo first, then AD.

OK so how do we make use of all of this? Let’s go now to your Policy Sets in ISE. We’re going to create a policy set for AnyConnect which accepts connections from your ASA Firewalls and or Firepower Threat Defense appliances.

Open the new Policy Set and in specify the Identity Source Sequence on the right side.

You want the options shown as well.

Next we move down to the Authorization section of the Policy.

This is where you will do your matching against Active Directory. Simply create conditions which match the user found in their appropriate group in Active Directory (without the sequence) with the AD Join Point. The returned result is up to you but if you would like to customize it with ACLs, Group-Policy, etc this is where you would do so.

That’s it, you’re finished! Well… not quite. You still need to configure your ASA to use ISE as a RADIUS server, create your Tunnel-Group and Group-Policy. You also need to make sure you have your ASA listed in ISE Network Devices and a RADIUS pre-shared secret configured to match.

Why does this work? Well here’s what is happening.
  1. The ASA makes an authentication request to it’s RADIUS server (ISE).
  2. ISE takes the request and sends it’s own request to the Duo Proxy.
  3. Duo Proxy sends a request to Active Directory
    1. Duo Proxy sends a request to the user via push notification on their phone.
  4. Duo responds to ISE with RADIUS “Access Accept”
  5. ISE performs an Authorization query against Active Directory (directly).
    1. Username: jeff.thurston
    2. Enumerate AD groups
      1. If member of Vendors = Permit
    3. ISE returns to the ASA with:
      Access Accept + RADIUS attribute 25 “Group-Policy = Vendors”
    4. The ASA permits the user access.

To learn more about our security offerings, visit our Cisco Security course catalog.

Related Posts

Leave a Comment

Close Bitnami banner
Bitnami