How can I make RADIUS CoA from ISE work through Duo Proxy?

Hello,

Openned a case for this but though someone might now the answer.

  • AnyConnect VPN user connects to Cisco ASA
  • ASA sends RADIUS request to DUO Proxy
  • Duo Proxy sends it to Cisco ISE
  • ISE does authentication against AD, LDAP or local user database (depending on certain attributes)
  • ISE sends ACCESS-ACCEPT back to DUO proxy
  • DUO proxy sends it back to ASA.
  • Client connects

Later, when ISE issues CoA, it sends it to DUO Proxy and it seems like DUO proxy doesn’t know what to do with it and just drops it. It never forwards it to ASA. I did a packet capture on DUO Proxy and I see that it actually receives it.

I guess one possible way would be for ASA to send request to ISE and ISE send to DUO Proxy… Unfortunately, in my case, ISE has to do primary authentication, and I don’t think I can use [duo_client_only] in this scenario.

Any ideas on how to make DUO Proxy forward CoA to ASA or if there is a way to make it work so when ISE sends CoA it actually gets to the ASA?