Duo MFA with Cisco FTD and ISE

I have a customer with Cisco FTD firewalls who is using ISE to authenticate their SSL VPN clients. They are pushing a group-policy change from ISE to the Firewall upon successful authentication. My question is when we add DUO to the workflow, will the Duo Auth Proxy pass the radius pair from ISE to the Firewall to make the group-policy change?

Hi Chatataridge, yes that is possible. I am terminating the VPN Clients in the default group policy with a VPN Filter “deny any” and then assigning the specific group-policy via authorization policy on ISE.

I guess when you configure the ISE as RADIUS clients in the Duo Proxy you will have to set the “pass_through_all=true” attribute for it to work.



Thank you for your response.

Len Ledford