Skip navigation
Documentation

Duo Multifactor Authentication for Cisco ISE

Last Updated: July 12th, 2024

Overview

Cisco Identity Services Engine (ISE) Release 3.3 Patch 1 introduces direct integration of Duo as an identity source for ISE VPN and TACACS+ authentication.

If you're interested in a Duo MFA solution for ISE portals that includes Duo Universal Prompt, please see Duo Single Sign-On for Cisco ISE.

Requirements

  • Your ISE device software must be 3.3 Patch 1 or later.
  • You must have the Owner Duo administrator role.
  • Make sure to note all other requirements and limitations of the Duo ISE integration mentioned in the ISE documentation.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

First Steps

Role required: Owner

  1. Sign up for a Duo account if you don't already have one.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Auth API in the applications list. Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options. Do not use the "Cisco ISE Auth API" application.
  4. Click Protect an Application again and locate Cisco ISE Admin API in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. You will need to enter this information into the ISE admin console as well.
  5. While on the new Cisco ISE Admin API application's details page, scroll down to the "Permissions" section and enable Grant read resource, and Grant write resource.
  6. Click Save Changes.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Exclude Auth API from Verified Push

If the effective policy for the Auth API application you use with Cisco ISE enables risk-based factor selection you may find your users getting put into stepped-up authentication scenarios with no way to satisfy the more-secure authentication requirements, like completing a verified Duo Push authentication request.

If your have enabled risk-based factor selection in your Duo global policy, we recommend that you apply an application policy to the Auth API application used with Cisco ISE that does not enable risk-based factor selection to override the global policy setting.

Configure Duo as an Identity Source in ISE

Follow the deployment instructions for Duo Multifactor Authentication for Cisco ISE on cisco.com, substituting your "Auth API" application information where the ISE documentation says to use the "Cisco ISE Auth API" application.

You will need to copy the integration keys, secret keys, and API hostname information for the Auth API and Cisco ISE Admin API you created earlier from the Duo Admin Panel into the ISE console as directed.

Known Issues

  • If you configure ISE with the Duo "Cisco ISE Auth API" application you will find that authentication fails. Please use an "Auth API" Duo application in your ISE configuration at this time.
  • You may receive a 401 error response when users sign into ISE with an email address or User Principal Name as the username. The current workaround is to use a username format that does not contain an @ symbol, like sAMAccountName. This should be addressed in a future ISE release.

Troubleshooting

Need some help? Reach out to Duo Support for assistance with creating the Cisco ISE API applications in Duo, enrolling users in Duo, Duo policy questions, or Duo authentication approval issues. For assistance configuring or managing ISE devices please contact Cisco Support.