cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3129
Views
0
Helpful
1
Replies

Cisco ISE and Duo Authentication Proxy

dariotmmk
Level 1
Level 1

Hello all,

I’m writing this post because I have troubles with integrating RADIUS Cisco ISE and DUO Authentication Proxy. I followed the official guide.

I’d also have to point out that in my infrastructure the [radius_client] and [radius_server_auto] are the same device. Cisco ISE.
For this scenario to work, additionally I had to define Network Device in Cisco ISE (Authentication-> Network Resources-> Network Devices).

For this test I have defined user identity that is authenticated against Active Directory.

indent preformatted text by 4 spaces[DuoForwardServer (UDP)] Sending request from [Cisco ISE IP] to radius_server_auto
[DuoForwardServer (UDP)] Received new request id 8 from ([Cisco ISE IP], 48515)
[DuoForwardServer (UDP)] (([Cisco ISE IP], 48515), duoUser, 8): login attempt for username u’duoUser’
[DuoForwardServer (UDP)] Sending request for user u’duoUser’ to ([Cisco ISE IP], 1812) with id 171
[RadiusClient (UDP)] Got response for id 171 from (, 1812); code 3
[RadiusClient (UDP)] (([Cisco ISE IP], 48515), duoUser, 8): Primary credentials rejected - No reply message in packet
[RadiusClient (UDP)] Sending request for user u’duoUser’ to ([Cisco ISE IP], 1812) with id 189
[RadiusClient (UDP)] Got response for id 189 from ([Cisco ISE IP], 1812); code 3
[RadiusClient (UDP)] (([Cisco ISE IP], 48515), duoUser, 8): Primary credentials rejected - No reply message in packet
[RadiusClient (UDP)] (([Cisco ISE IP], 48515), duoUser, 8): Returning response code 3: AccessReject
[RadiusClient (UDP)] (([Cisco ISE IP], 48515), duoUser, 8): Sending response

On the Cisco ISE the log says only to check the External RADIUS logs.

Do you have any idea where I might have a problem?

Thank you.

1 Reply 1

Amy2
Level 5
Level 5

Hey @dariotmmk

Looking at this log, I noticed it says “No reply message in packet.” Give the steps in this article a try and see if that works for you?

FYI usually there will be some sort of message after “Primary credentials rejected” that gives a clue as to why/what’s going on. I recommend bookmarking this guide on how to interpret and troubleshoot Duo Authentication Proxy debug logs as it is v. helpful in figuring things out!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links