topic MFA for TACACS+ via ISE - Is RSA Secure-ID the only option? in Network Access Control

MFA for TACACS+ via ISE - Is RSA Secure-ID the only option?

darthnul — Mon, 11 Mar 2019 07:08:06 GMT

I am currently running Cisco Secure ACS for TACACS and other things. I have to move to another platform due to PCI DSS 3.2 requirements.

ISE is the leading contender to replace ACS but I also have a requirement to implement multi-factor authentication (MFA) everywhere.

The ISE 2.1 implementation guide states that RSA Secure-ID is supported for MFA with TACACS logins. I don't have RSA Secure-ID and likely won't ever have it.

The implementation guide and my Cisco vendor also make the more general statement that ISE will work with any MFA solution that has a RADIUS compliant front-end. That's nice because I already have one of those (SafeNet/SafeWord). What they aren't saying is whether that will work specifically for authenticating TACACS authentications. The only docs I can find on this subject are all/only about ISE doing this for RADIUS clients such as the Cisco ASA handling Anyconnect VPN client.

Has anybody gotten ISE TACACS to work with MFA with anything other than Secure-ID? Got links?

I'm told on good authority

Marvin Rhoads — Mon, 10 Oct 2016 00:42:34 GMT

I'm told on good authority that SafeNet/SafeWord will indeed work with ISE 2.1+ as your TACACS server.

It relies on the fact that it works with all "RADIUS devices that adhere to the standard protocols".

Sorry but we don't have any doc or links for it.

Thanks for the reply Marvin!

darthnul — Mon, 10 Oct 2016 16:54:34 GMT

Thanks for the reply Marvin!

Unfortunately, I have to be absolutely sure before making a recommendation to purchase. I was pretty sure myself a while ago but when I went through one of the SafeWord implementation guides it was only about RADIUS clients and it relied on the RADIUS challenge/response feature which is not present in the TACACS protocol, and when I looked more closely at the language used by my Cisco contact and others, I saw words like "believe" and "expect" rather than a definitive response like "Yes it will work".

I hope I don't have to install ISE with a trial license and figure it out myself.

@darthnul

Marvin Rhoads — Mon, 10 Oct 2016 16:57:46 GMT

darthnul

Message me with your contact details - I will endeavor to put you in touch with some Cisco resources who can confirm your due diligence investigation.

Thanks Marvin.

darthnul — Mon, 10 Oct 2016 17:31:37 GMT

Thanks Marvin.

Is there a way to send a private message within the forum? I'm not seeing one.

Click on your name in the top

Marvin Rhoads — Mon, 10 Oct 2016 17:40:14 GMT

Click on your name in the top right to see your profile. Then choose the "Message" tab and click on "New Message".

Re: MFA for TACACS+ via ISE - Is RSA Secure-ID the only option?

johnhite — Thu, 02 Aug 2018 12:10:17 GMT

I'm running into the same issue now setting up a token radius server for authentication. It seems they are communicating and login is still occurring via tacacs using AD creds.

MFA and ASDM: I'm told on good authority

arnert — Wed, 03 Apr 2019 19:14:32 GMT

Ok, so I understand that MFA authentication is only provided by 3rd parties vendors. For a RSA and a ISE cisco shop (our enterprise). What are 2fa options available other than these companies? And if not.

Is there a known configuration to configure a local certificate map to filter non network admins when using RSA to run ssh or asdm? Our RSA db is not connected to ldap.

Additionally: Can ISE proxy the RSA/SDI communication similar to how we have our Anyconnect clients currently configured.

MFA is easier using the remote access config because the server instance can do certificate plus username and password. thx marvin. Struggling here with 800-171 issues.