Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
1
Helpful
5
Replies

Cisco ISE TACACS Integration with DUO Cloud with Azure AD Query

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎02-26-2024 08:58 AM

Hello,

I am going to integrate our cisco switches device admin access (TACACS) with Cisco ISE and DUO cloud with the user account located in our on-premises AD. The proposed flow was as follows

Switch --> ISE ---> DUO Auth Proxy -->DUO Cloud

The plan was to use DUO Auth proxy for the ISE-DUO cloud integration but the customer has the below queries.

 

1. Can we the ISE-DUO cloud integration without DUO Auth Proxy?.

2. Can we use Azure AD instead of on-premises AD?.

3. Can we use SAML for the integration between ISE and DUO Cloud?

Their requested flow is as follows

Switch ---> ISE ----> DUO Cloud (with user account located in Azure AD).

Please advise

Thanks 

Labels:
0 Helpful
5 Replies 5

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-26-2024 01:34 PM

The only validated solutions for this use case leverage Duo Auth Proxy; either the standalone method or the new direct integration in ISE 3.3p1 (technically still a beta feature). Both options require traditional AD (on-prem or in the cloud).

SAML is browser-based, so would not work with CLI-based mechanisms without some sort of broker in the client. ISE Device Admin polices cannot currently be configured to use a SAML IdP.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Greg Gibbs

‎02-26-2024 01:49 PM

Hello Gibbs,

Please find the below queries for confirmation.


1. So the validated and recommended method is to use DUO Auth proxy?.

1. The azure AD is not supported in neither case; when we use DUO auth proxy or when we use direct integration (in ISE 3.3p1)?. Is it a limitation only when we use device admin or it is a global limitation?.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎02-26-2024 04:46 PM

1. Correct

2. Entra ID is not the same as Active Directory, so there are limitations on how ISE can interact with Entra ID (mainly being SAML or REST ID). We cannot currently use either of these for TACACS+ (Device Admin) policies. SAML IdP is only supported for use with portal-based authentication flows, and REST ID is used mainly with RADIUS endpoint flows.

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Greg Gibbs

‎02-26-2024 09:09 PM

Hello Greg,

So in summary the best option is go with DUO Auth proxy with on-premises AD. As you are aware we have options to install DUO auth proxy, in Linux server and windows server. Which one is better/recommended?. Is there any difference between them?.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎02-27-2024 01:35 PM

AFAIK, the functionality is the same so it would mainly be a preference thing. For more Duo-specific questions, you might try posting them to the Duo Security  community space.

0 Helpful
Customers Also Viewed These Support Documents