How can I make RADIUS CoA from ISE work through Duo Proxy?


Openned a case for this but though someone might now the answer.

  • AnyConnect VPN user connects to Cisco ASA
  • ASA sends RADIUS request to DUO Proxy
  • Duo Proxy sends it to Cisco ISE
  • ISE does authentication against AD, LDAP or local user database (depending on certain attributes)
  • ISE sends ACCESS-ACCEPT back to DUO proxy
  • DUO proxy sends it back to ASA.
  • Client connects

Later, when ISE issues CoA, it sends it to DUO Proxy and it seems like DUO proxy doesn’t know what to do with it and just drops it. It never forwards it to ASA. I did a packet capture on DUO Proxy and I see that it actually receives it.

I guess one possible way would be for ASA to send request to ISE and ISE send to DUO Proxy… Unfortunately, in my case, ISE has to do primary authentication, and I don’t think I can use [duo_client_only] in this scenario.

Any ideas on how to make DUO Proxy forward CoA to ASA or if there is a way to make it work so when ISE sends CoA it actually gets to the ASA?

I was able to get this type of configuration working by putting ISE in the path between the ASA and the Duo Proxy. ISE is configured to forward RADIUS requests to the Duo Proxy in the Auth policy. The Duo Proxy then process the AD lookup and the user gets the push auth. Duo sends the result back to ISE which then is configured to continue for an Authz match.

Configure External RADIUS Servers on ISE

I found that implementing SAML was a more elegant solution. I found the following Cisco TAC documentation to be helpful. Depending on your enviornment this may be an option.

Integrate Duo SAML SSO with Anyconnect Secure Remote Access using ISE Posture