In continuation to my previous post about DUO and ISE integration, I came to a problem where I had to integrate ISE posture into the mix. Passing standard Radius attributes with the existing setup was not an issue but since posture required a bit more complicated authentication flow it did not work. I was getting the following error:
The source of CoA packet does not match tunnel-group config.
CoA message from xxxx for session ac1463040011a0005df838de is inconsistent with the ASA configuration.
My setup was as below so the response from ISE obviously did not match actual Radius server configuration on the tunnel-group.
So I had to revert it to the original diagram below.
As you can see all authentication requests that are properly formatted (push, code, etc) from Cisco ASA go to Cisco ISE servers. Then ISE has DUO servers configured as external Radius servers which in turn authenticate users against Active Directory. Authentication result is passed back to ISE on success initiating the Posture process.
With this setup, there are no additional menus to assist users. User has to be educated on proper password field format to successfully authenticate.
Start with the DUO configuration and complete it based on the information provided.
Next, login to DUO Proxy server and edit config file located at C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg.
Edit ad_client section. Add host as IP of Active Directory Servers. Add host_2 for redundancy. Specify service account username and password for AD query and base search DN.
;Active directory server IPs
;AD account to run queries.
Edit radius_server_auto section. Add Cisco Radius VPN app keys and API hostname. Also, specify IP addresses of Cisco ISE PSN servers and Radius secret. With attribute failmode=safe If Duo service is unreachable, users will be ALLOWED access if they pass primary authentication.
; Your Duo integration key
; Your Duo secret key
; Your Duo API hostname (e.g. “api-XXXX.duosecurity.com”)
Once configuration changes were made restart DUO service from Admin mode command line.
net stop DuoAuthProxy
net start DuoAuthProxy
Make sure service starts successfully, if not check the log file for errors (C:\Program Files (x86)\Duo Security Authentication Proxy\log).
Next, configure the Cisco ASA with ISE servers. Very important to have at least two ISE servers for redundancy and set timeout to 60 seconds.
aaa-server ISE protocol radius
interim-accounting-update periodic 1
aaa-server ISE (inside) host ISE1_IP
aaa-server ISE (inside) host ISE2_IP
Add ISE server group to Anyconnect tunnel group as the authentication server.
tunnel-group DefaultWEBVPNGroup general-attributes
I found accounting not necessary in this configuration
Next, on Cisco ISE add External RADIUS Servers. Use the same Radius secret as on DUO Proxy config for radius_secret.
Create RADIUS Server Sequence to authenticate VPN users. Add Radius servers to the sequence.
Under Advance is very important to check Continue to Authorization Policy otherwise ISE Authorization will not take place.
Configure a new Authentication Policy Set for VPN authentications. Select RADIUS Server Sequence. You can split your test VPN device into a separate group. That way you will not impact production.
Create an Authorization policy based on posture assessment requirements by following Cisco guides.
Unfortunately with this setup, we lose user-friendly pop-ups from DUO proxy. Anyconnect login screen will have the usual username/password fields. Un-enrolled users will still be able to VPN in. Enrolled users will have to append coma and keyword (push, SMS, etc) to their password and reenter it again once they get the code or look for a pop-up on their phone as it is the default action.
If you start seeing USERNAME instead of real user id for failed attempts check this setting under ISE – “Disclose invalid usernames”. If it is unchecked then check it.