DUO Proxy, Cisco ISE and F5 LTM


#1

I have been struggling with this deployment for a few weeks now and I am starting to question the design maybe.

My currently Flow is:

Cisco Anyconnect —> Cisco ISE ----> Duo Proxy A port 1812/18120
|
-----> Duo Proxy B port 1812/18120

The ASA that terminates the anyconnect looks to Cisco ISE for its “RADIUS server” Then in Cisco ISE I have configured two Radius Token identity servers, Proxy A and Proxy B both listening on both ports.

I am using 2 ad_client fields in the config that match to 2 radius_server_auto fields. This is how I can achieve the listening of two ports for Radius for two separate domains.

Each Radius Token looks to Proxy A as primary and Proxy B as secondary both configured for different ports.

Some issues I am having is timing when it comes to “timeouts”. Also sometimes a user will login to the VPN without being prompted for DUO on their personal device and get connected, then they will disconnect and reconnect and they get DUO push…So thats puzzling.

Recently I fell on this article where it says my configuration of flow is completely wrong:

https://finkotek.com/cisco-anyconnect-with-ise-and-duo-mfa/

Saying that the ASA should be looking to the DUO proxy then Duo Proxy looks to ISE. But that confuses my load balancing ideas. Unless the Proxies go behind a F5 LTM VIP and both Proxies look to ISE? But then Load balance ISE too?

I need someone who has done this before successfully. I also cant seem to monitor the Duo Proxies easily either with F5. That may be a whole different issue.

Any help would be great.