Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1824
Views
0
Helpful
2
Replies

DUO Proxy, Cisco ISE and F5 LTM

Steven Williams
Level 4
Level 4

‎10-30-2018 01:23 PM

I have been struggling with this deployment for a few weeks now and I am starting to question the design maybe.

My currently Flow is:

Cisco Anyconnect —> Cisco ISE ----> Duo Proxy A port 1812/18120
|
-----> Duo Proxy B port 1812/18120

The ASA that terminates the anyconnect looks to Cisco ISE for its “RADIUS server” Then in Cisco ISE I have configured two Radius Token identity servers, Proxy A and Proxy B both listening on both ports.

I am using 2 ad_client fields in the config that match to 2 radius_server_auto fields. This is how I can achieve the listening of two ports for Radius for two separate domains.

Each Radius Token looks to Proxy A as primary and Proxy B as secondary both configured for different ports.

Some issues I am having is timing when it comes to “timeouts”. Also sometimes a user will login to the VPN without being prompted for DUO on their personal device and get connected, then they will disconnect and reconnect and they get DUO push…So thats puzzling.

Recently I fell on this article where it says my configuration of flow is completely wrong:

https://finkotek.com/cisco-anyconnect-with-ise-and-duo-mfa/

Saying that the ASA should be looking to the DUO proxy then Duo Proxy looks to ISE. But that confuses my load balancing ideas. Unless the Proxies go behind a F5 LTM VIP and both Proxies look to ISE? But then Load balance ISE too?

I need someone who has done this before successfully. I also cant seem to monitor the Duo Proxies easily either with F5. That may be a whole different issue.

Any help would be great.

Labels:
0 Helpful
2 Replies 2

captain118
Level 1
Level 1

‎11-16-2018 08:38 PM

I’m doing it like you are but I only have one duo proxy. I was having timing issues but I solved them with adjusting my radius timeout on the ASA. Though it sounds like my timing issues arent the same as your timing issues. The timing issues I was having was related to how long the ASA would wait for you to approve the login before it decided to disconnect you.

0 Helpful

Steven Williams
Level 4
Level 4

‎11-19-2018 06:33 AM

What are your timing values?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents