https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3699245#M507905 <P>Yes, this should work.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID766" target="_blank">Administrative Access to Cisco ISE Using an External Identity Store</A>&nbsp;says,&nbsp;</P> <P><FONT color="#333399"><EM>...</EM></FONT></P> <UL class="ul"> <LI id="ID766__li_31B828D68C3A46EE9E1FA90BA19E691C" class="li"> <P class="p Bu1_Bullet1-CC106A77"><FONT color="#333399"><EM>External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.</EM></FONT></P> </LI> </UL> <P><FONT color="#333399"><EM>...</EM></FONT></P> <UL class="ul"> <LI class="link ulchildlink"><FONT color="#333399"><EM><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID929" target="_blank">Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization</A></EM></FONT></LI> </UL> <P><FONT color="#333399"><EM>...</EM></FONT></P> <P>&nbsp;</P> <P>As DUO is a RADIUS token ID source similar to RSA SecurID, we would follow the same mode and need creating internal admin users with the same usernames as those on DUO.</P> <P>&nbsp;</P> Sat, 01 Sep 2018 22:44:14 GMT hslai 2018-09-01T22:44:14Z https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3697112#M507895 <P>Can you enable DUO auth within a policy for ISE admin login on the landing ISE page?</P> Wed, 29 Aug 2018 15:57:13 GMT https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3697112#M507895 Steven Williams 2018-08-29T15:57:13Z https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3697230#M507898 <P>Please do Search the community for existing answers before posting questions.</P> <DIV class="lia-page-header"> <UL> <LI><A href="https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120" target="_self">Two Factor Authentication on ISE – 2FA on ISE</A></LI> <LI> <P><A href="https://community.cisco.com/t5/security-documents/using-duo-with-ise-2-3-and-acs-5-x-for-2fa-cisco-network-admin/ta-p/3642171" target="_self">Using DUO with ISE 2.3 and ACS 5.X for 2FA Cisco Network Admin Access</A></P> </LI> </UL> </DIV> Wed, 29 Aug 2018 17:49:27 GMT https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3697230#M507898 thomas 2018-08-29T17:49:27Z https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3699245#M507905 <P>Yes, this should work.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID766" target="_blank">Administrative Access to Cisco ISE Using an External Identity Store</A>&nbsp;says,&nbsp;</P> <P><FONT color="#333399"><EM>...</EM></FONT></P> <UL class="ul"> <LI id="ID766__li_31B828D68C3A46EE9E1FA90BA19E691C" class="li"> <P class="p Bu1_Bullet1-CC106A77"><FONT color="#333399"><EM>External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.</EM></FONT></P> </LI> </UL> <P><FONT color="#333399"><EM>...</EM></FONT></P> <UL class="ul"> <LI class="link ulchildlink"><FONT color="#333399"><EM><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0101.html#ID929" target="_blank">Configure Admin Access Using an External Identity Store for Authentication with Internal Authorization</A></EM></FONT></LI> </UL> <P><FONT color="#333399"><EM>...</EM></FONT></P> <P>&nbsp;</P> <P>As DUO is a RADIUS token ID source similar to RSA SecurID, we would follow the same mode and need creating internal admin users with the same usernames as those on DUO.</P> <P>&nbsp;</P> Sat, 01 Sep 2018 22:44:14 GMT https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3699245#M507905 hslai 2018-09-01T22:44:14Z https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3876233#M507907 Very unhelpful answer given that both of the links address something different than what he asked for.<BR /> Wed, 19 Jun 2019 17:48:43 GMT https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3876233#M507907 Christopher Bell 2019-06-19T17:48:43Z