I’ve worked before with RSA Multi-Factor Authentication (MFA) solution but this is the first time I’ve integrated cloud-based MFA. I’ll skip configuration related to DUO setup and will concentrate on what is relevant to Cisco. With all kinds of DUO configuration guides and whitepapers I’ve struggled to find a clear guide for most common Cisco setup: Anyconnect VPN > ASA > ISE. As a result, I started all wrong with adding DUO as Radius Token to ISE. My assumed authentication flow looked similar to the diagram below.
Since my approach was incorrect I was getting strange errors such as MSCHAPv2 protocol not supported by DUO authentication proxy and logins were rejected.
The proper way to integrate DUO in the production network is depicted below. As you can see all authentication requests from Cisco ASA go to DUO proxy authentication servers (Proxy) then DUO has ISE servers configured as Radius clients which in turn authenticates users against Active Directory. Authentication result with any additional attributes is passed back to DUO which in turn initiates MFA process (push, code, etc). This setup also allows us to introduce DUO to existing production without any major configuration changes.
Start with DUO configuration. On DUO Admin page navigate to Groups and add test Group of users who will be enrolled in preliminary testing of MFA.
Next, go to Applications > Protect an Application.
Search for Cisco Radius VPN app to process authentication requests from ASA. Select Protect this Application to install.
Once installed make note of Integration key and Secret key
Scroll down and Edit Global Policy.
Save changes, scroll down and enable Username normalization so usernames with appended or pre-pended domain names are not bypassed or denied.
Next, login to DUO Proxy server and edit config file located at C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg.
Add radius_client section with IP addresses of Cisco ISE PSN servers.
If you plan on passing Radius Attributes from ISE back to ASA through DUO do not forget to enable these options otherwise it will be blocked by DUO. For example, for Group Policy enforcement allow this attribute.
To allow passing all attributes:
Edit radius_server_auto section. Add Cisco Radius VPN app keys and API hostname. Also, specify ASA IP address and Radius secret. Attribute pass_through_all=true allows passing Radius attributes to ASA from ISE. With attribute failmode=safe If Duo service is unreachable, users will be ALLOWED access if they pass primary authentication.
; Your Duo integration key
; Your Duo secret key
; Your Duo API hostname (e.g. “api-XXXX.duosecurity.com”)
Once configuration changes were made restart DUO service from Admin mode command line.
net stop DuoAuthProxy
net start DuoAuthProxy
Make sure service starts successfully, if not check the log file for errors (C:\Program Files (x86)\Duo Security Authentication Proxy\log).
Next, configure the Cisco ASA with DUO Proxy servers. Very important to have at least two DUO servers for redundancy and set timeout to 60 seconds.
aaa-server DUO-MFA protocol radius
aaa-server DUO-MFA (inside) host DUO_Proxy1_IP
aaa-server DUO-MFA (inside) host DUO_Proxy2_IP
In case you start experiencing timeout issues during authentication prompt check this post about timeout values configured on Anyconnect XML profile.
Add DUO server group to Anyconnect tunnel group as the authentication server.
tunnel-group AnyConnect-Group general-attributes
Next, on Cisco ISE add DUO Proxy servers to the device group. Use the same Radius secret as on DUO Proxy config.
Create Authentication Identity sequence to authenticate VPN users to identity source.
Create Allowed Protocols profile for VPN authentications. Allow only PAP/ASCII.
Configure the new Authentication Policy Set for VPN authentications. Select DUO device group as Condition. That way your existing authentication flow is not impacted.
Configure authentication policy to use configured VPN sequence.
Create Authorization policy. Optionally specify conditional attributes to selectively apply authorization results. For example, I used Dial-in attribute so I can control who can VPN in while in MFA bypass mode.
That it. If the user is not part of test group they will bypass MFA. As for your test users and future production, deployment follow DUO Liftoff Guide for best user experience.
As I learn more about DUO I came across Radius-Challenge option. Unfortunately, I did not implement it yet and there are no screenshots with Anyconnect so, for now, Global Protect will do. More information can be found here but this is a great option for self-enrolling users like new hires. The only part I do not like is that you can not be specific on what to display. For example, I want this challenge to only pop up for self-enrolling users and for enrolled users send straight push notification without extra pop-ups but unfortunately it is not possible. Maybe future releases will have more flexibility.