Automating Cisco ISE's Duo MFA Integration

Learn how to streamline and optimize the integration of Cisco ISE with Duo MFA through automation.


Learn how to streamline and optimize the integration of Cisco ISE with Duo MFA through automation.

Understanding Cisco ISE and Duo MFA

Cisco ISE (Identity Services Engine) is a comprehensive identity management solution that provides secure network access control and policy enforcement. Duo MFA (Multi-Factor Authentication) is a two-factor authentication solution that adds an extra layer of security to user logins. By integrating Cisco ISE with Duo MFA, organizations can enhance their network security by requiring users to provide additional authentication factors beyond just a password.

ISE 3.3.1 introduces built-in Duo MFA integration. This integration simplifies and streamlines the deployment of Duo with ISE (as discussed in a previous blog post). Currently, this beta feature only supports Duo MFA for Device Administration and Remote VPN use cases.

Cisco has published documentation and video that guides the integration using the GUI. I’d recommend that you take a look at this to familiarize yourself with the process. It always helps to have a hands-on feel for what you’re doing with your code.

In this blog post, we’ll explain how to set up the Duo-ISE integration programmatically.  This can save time and eliminate errors in your deployment. You can download the code here. Be sure to replace variables (e.g., ISE server IP and credentials) with what is specific to your deployment.


1 - Is MFA Enabled

We begin by checking if MFA is enabled on ISE. This step is optional but can be useful. It is a GET method to api/v1/duo-mfa/status.

1 - isMFAenabled

Because MFA is not currently enabled on my ISE instance, this is the response.

1 - isMFAenabled - status

2 - Enable MFA

To enable MFA, we’ll use a PUT method to api/v1/duo-mfa/enable. We send a payload with the status of MFA set to True. (If we wanted to disable MFA, we would set the status to False).

2 - EnableMFA

This is the response.

2 - status

3 - Create an ID Sync

Next, we’ll need to create an Identity Sync. The purpose of this is to encode information about the Active Directory you’ll be using in your Duo-ISE integration.

In the payload, you’ll need to name your sync, and provide information about the Active Directory and AD groups you want to use. (You can find this information on the ISE GUI or programmatically by sending the appropriate GET requests to ISE.)

We’ll use a POST method to api/v1/duo-identitysync/identitysync.

3 - CreateIDsync

This is the response.

3 - status

4 - Add Duo Connection

Now that MFA is enabled in ISE, we can set up the Duo Connection.

This utilizes a POST method to api/v1/duo-mfa/mfa.

The Duo-ISE integration involves two APIs that must be set-up on Duo: the Duo Admin API and the Duo Auth API. Check out the documentation I referenced in my introduction for more information about this.

In the payload, you must provide Duo Admin API and Auth API credentials, as well as the Duo API Host Name. You’ll want to pass the ID sync you created above, as well as name the Duo Connection.

4 - addDuoConnection

This is the response.

4 - status

Conclusion

We’re now ready to use our Duo Connection in an MFA rule in a policy set. Building policy set using automation is a whole other subject, so we’ll look at how to do that in a comprehensive way in a follow up blog post.

I hope this post on setting up the Duo-ISE integration has been helpful. Please reach out if you have any questions or comments.