Duo MFA for the ISE Admin GUI

So, you've adopted ISE: 802.1x everywhere, maybe some CTS/SDA, posture for remote VPN endpoints, even dabbling with Threat-Centric NAC and some pxGrid integrations - life is good! The network feels secure, you've got lots of visibility and control. SASE and ZTA feel like attainable goals.

Then, it hits you: you've put MFA in front of everything you can get your hands on, even using ISE to enforce MFA flows for your remote VPN users - but you've neglected to protect the protector; ISE itself is still being administered using a local admin password!

Scary, I know; but, not to worry. Using tools like Cisco Duo, we can enforce MFA for ISE Admin GUI logons quickly and painlessly, with plenty of RBAC options to enforce least-privilege principles.

Environment details:

1. ISE version 3.1 (this process is the same for all ISE versions 2.4 and up) - 10.255.6.102
2. Duo MFA Subscription (base-tier license)
3. Duo Authentication Proxy version 5.6 installed on DC - 10.255.6.50
4. Windows AD 2012 R2 Domain Controller - 10.255.6.50

Note:  This article assumes that you have already installed the Authentication
Proxy server in your environment, configured directory synchronization, and that
you have basic familiarity with Duo Authentication Proxy configuration.  This
article also assumes that you have enrolled your users fully in Duo and have 2FA
devices assigned.

For more information, please visit https://duo.com/docs/authproxy-reference and
https://duo.com/docs/enrolling-users.        

First things first, let's create our application in Duo. Go to Applications > Protect an Application.

Next, search for "Cisco ISE RADIUS" in the search field, then click Protect next to the application in the list.

In your shiny new application, at the top of the page, note your iKey, sKey, and API hostname, as we will need them for our Authentication Proxy config.

Scroll down and give your application a meaningful name - I called mine "ISE 3.0 Admin GUI" because I'm going to use it for a couple of 3.x deployments in my lab. This is the name you'll see when you get a push notification on your phone, so call it something meaningful.

Now, optionally, you can assign this app to only a specific group of users - for example, in my lab I will assign this to only the "IT Staff" group which I am synchronizing from AD. You can, of course, get very granular with additional permission using Duo Group Policy, if desired. Click Save.

At this point, you are done with creating the basic application and can move over to your Authentication Proxy server. If you're running version 5.6, you can use the nice new Authentication Proxy Manager to change, validate, and commit your configuration and restart the service from one place (I highly recommend it, it's a nice addition!). If not, you can do it the traditional way by opening your authproxy.cfg file in notepad from C:\Program Files\Duo Security Authentication Proxy\conf and then opening your services.msc console to manually restart the service once your changes are made.

Once you are ready, you can input a basic [radius_server_auto] section. If you already have a section like this for another app, you can append a 1/2/3/etc. at the end of radius_server_auto, like [radius_server_auto1], to uniquely identify the app. This is also where I highly recommend using unique and nonstandard RADIUS ports for your authProxy applications, so they can be easily identified by the AuthProxy as requests come in and you don't inadvertently cause conflicts. You will note below I used port 18122.

You can use the example below to build your configuration - please reference the Authentication Proxy Reference at duo.com for additional information which may be necessary for your specific environment.

Important Note: for purposes of simple configuration and easy reading, I do not have any of the secure values in this example encrypted - you should absolutely protect your keys and other secure information in your authproxy.cfg file in a production environment using the Password Encryption tool provided by Duo as outlined here - https://duo.com/docs/authproxy-reference#encrypting-passwords

[main]

[ad_client]
host=10.255.6.50
service_account_username=duo-svcAcct
service_account_password=scvAcctPasswd
search_dn=DC=ccie,DC=lab

[cloud]
ikey=[cloud iKey string]
skey=[cloud sKey string]
api_host=[your api hostname].duosecurity.com

[radius_server_auto]
ikey=[your application iKey string]
skey=[your application sKey string]
api_host=[your api hostname].duosecurity.com
radius_ip_1=10.255.6.102
radius_secret_1=radius
client=ad_client
port=18122
failmode=safe]        

Once your configuration is in place, if you're running 5.6, you can validate the configuration right in the AuthProxy Manager. If not, you can check the authproxy log file at C:\Program Files\Duo Security Authentication Proxy\log to verify validation and startup after you bounce the service.

With that done, we can now move on to ISE. Log in using your current admin UnP, then navigate to Administration > Identity Management > External Identity Sources

Click RADIUS Token > Add to open the new RADIUS Token Server configuration. On the General tab, give your server a logical display name, then click the Connection tab. Enter the IP of your Duo AuthProxy, as well as the shared secret and port you configured earlier in the [radius_server_auto] section. Set the server timeout to something long enough to allow you to respond to MFA; for most scenarios, I do 45 seconds to account for any network latency, phone unlock issues, etc. If you have a pair of AuthProxies and you duplicated your config earlier, you may add the second proxy here. Click Save.

Navigate to Administration > System > Admin Access

Expand Administrators and click Admin Groups, then give your group a name and, optionally, a description. Click Save.

Now go to Administrators > Admin Users > Add > Create Admin User

Here we will create a shadow user in the local ISE database which ISE uses for Authorization only - i.e., there is no password supplied for the user, ISE is only using this username so that it can match the username you authenticate with when it processes its internal RBAC policy. You will need to create shadow users for each admin account that requires ISE access, and the shadow usernames need to exactly match the name of the account that Duo is looking up in AD and performing 2FA for.

All we have to do to make the user a shadow user is click the External checkbox under the username:

So, create your user based on your AD account username, mark the account as Enabled and External, and add them to the Group we created in the previous step. Click Save, and repeat for any other administrators in your organization.

Next, go to Authorization > RBAC policy, find the existing Super Admin policy rule. and click Actions > Duplicate

Note: you can certainly make a rule manually here and supply whatever specific 
permissions for it that you want - we are duplicating the basic Super Admin rule 
because it already includes Super Admin Menu Access and Super Admin Data Access 
permissions just like the default admin account - feel free to tune these 
permissions and policy rules to your specific requirements.
        

Give your duplicated rule a name, choose your Admin group which was created in the previous step and your shadow user(s) are members of, and verify the permissions are correct (default Super Admin permissions in this example). Click Save.

Now, go to Authentication > Authentication Method, and select your Duo AuthProxy token server from the list. Click Save.

Time to test! Log out of ISE, and note that you now have a dropdown menu for the Admin GUI Identity source - ISE will always let you manually fall back to the internal user database for authentication in the event your external source(s) are unavailable, but it will default to your newly configured external authentication method.

Enter your AD-based, Duo-enrolled Admin credentials, and click Login. If you've configured all elements correctly, by default you should expect a Duo Push to arrive on your phone (or smartwatch) any second, which you can approve.

Once approved, you will be logged in, and you can verify your menu and data access per the configured RBAC policy rule. You can check Admin login logs in ISE under Operations > Reports > Audit > Administrator logins, and in the Duo Admin Panel you can check for successful authentication on the Authentication Log page

That's it! You've protected the protector, and added MFA to one of the most critical security tools in your network. You are now free to continue down the road to ZTA and SASE :)