Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
4
Replies

Cisco ISE Integration with Two DUO Auth Proxies

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎03-24-2024 10:12 AM

Hi,

We have integrated our ISE with two DUO authentication proxies (for tacacs access to our switches). We configured a radius token object and added the DUO auth proxies primary and secondary. The timeout configured is 60 seconds with 3 attempts. When test by stopping the DUO auth proxy service on the primary server, the secondary does work but the user is experiencing delay in getting the push notification. Whenever a new radius request comes to ISE, does it check the primary server or it will send it to the secondary auth proxy?. Please advise.

Regards

Shabeeb

0 Helpful
4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

‎03-24-2024 03:26 PM

As per the Duo documentation, the ISE integration with Duo should not be configured using the RADIUS Token, but rather External RADIUS Servers and a RADIUS Server Sequence.

As stated in the UI for the RADIUS Server Sequence configuration...

"Servers are accessed in sequence until a response is received"

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Greg Gibbs

‎03-25-2024 04:13 AM

Hello,

Our requirement is to use the 2FA for the device admin access to switches via TACACS. When I configure the DUO as external radius server, then I am not able to use them in the device admin policy set.

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎03-25-2024 02:38 PM

Ah, you are correct. I missed the reference to 'tacacs' in your initial post.

Yes, with the RADIUS Token configuration, ISE will attempt to use the Primary server and only use the Secondary when that times out.
As stated in the Admin Guide:

"When Cisco ISE is unable to connect to the primary server, it uses the secondary server."

You can tweak the Server Timeouts and Connection Attempts, but that could cause other issues. You can also use the radio button for "Failback to Primary Server after x Minutes" which will have ISE continue to use the Secondary for that amount of time when a failure of the Primary is found.

0 Helpful

Pulkit Mittal
Level 1
Level 1

‎03-24-2024 06:10 PM - edited ‎03-24-2024 06:15 PM

Hi Shabeeb,

It will randomly pick a proxy on every connection. Below is also applicable in this case as well. You can check this in duo proxy logs.

How does Duo SSO choose which Duo Authentication Proxy to use for authentication when multiple proxies are used for high availability (HA)?

Regards,

Pulkit

If you find this useful, please mark it helpful and accept the solution.

0 Helpful
Customers Also Viewed These Support Documents