DUO 2FA for 802.1x with Cisco ISE

zooz · ‎11-20-2019

Hello Team,

Is anyone aware of any documentation out there to show case how to setup 2FA for users connecting to the network using 802.1x?

Mainly using PEAP-MSCHAPv2 as the Primary authentication method with ISE.

Some questions come up such as what 2nd authentication methods are supported, how is the proxy involved…etc.

Any help on this would be highly appreciated.

Regards

DuoKristina · ‎11-27-2019

You could maybe point the 802.1x connections to ISE, and in your policy set’s authentication rules add a Duo RADIUS rule that just does 2FA after the rule that handles your current primary authentication.

We have ISE RADIUS documentation here but these instructions have the Duo proxy server performing both primary and secondary authentication.

To do 2FA only when you create the primary auth client section you would specify [duo_only_client], and when you get to the 2FA RADIUS server section set client=duo_only_client.

So, you’d wind up with an authproxy.cfg that looks like this and only does Duo 2FA:

[duo_only_client] 

[radius_server_auto]
ikey=...
skey=...
api_host=...
radius_ip_1=5.6.7.8
radius_secret_1=radiussecret1
client=duo_only_client

Duo, not DUO.

zooz · ‎11-27-2019

Hello Kristina,

Thank you for the update. ISE does not support this method unfortunately. When it receives a request, it checks the authentication rules one by one until a match is found. When it is matched, ISE will jump to the authorization rules and will not parse the rest of the authentication rules in the list.

So it is either all or nothing

I was doing some research and it seems the DUO auth proxy does not support PEAP with MS-CHAPv2. It does support EAP-GTC it seems and that will work.

I was just wondering what other protocols does DUO Auth proxy support or does not support and if there are any public documentation for 2FA with dot1x.