https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487766#M511839 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a customer who wants to use SafeNet for 2-factor authentication for dot1x.</P><P>According to the SafeNet ISE integration guide for VPN, SafeNet is added as a Radius Server Token so I am guessing the same configuration will be applied for dot1x.</P><P></P><P>1. What various options do we have for supplicant configuration for a) Windows b) MAC c) Mobile Endpoints endpoints ? </P><P></P><P>2. The customer also wants the user to only enter its user-id and passcode and does not want the user to enter the AD password. Is this possible ? I've seen an integration with Duo using EAP-GTC but that requires AD username and password.</P><P></P><P></P><P>Thanks in advance</P></BODY></HTML> Mon, 05 Mar 2018 19:01:29 GMT umahar 2018-03-05T19:01:29Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487766#M511839 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a customer who wants to use SafeNet for 2-factor authentication for dot1x.</P><P>According to the SafeNet ISE integration guide for VPN, SafeNet is added as a Radius Server Token so I am guessing the same configuration will be applied for dot1x.</P><P></P><P>1. What various options do we have for supplicant configuration for a) Windows b) MAC c) Mobile Endpoints endpoints ? </P><P></P><P>2. The customer also wants the user to only enter its user-id and passcode and does not want the user to enter the AD password. Is this possible ? I've seen an integration with Duo using EAP-GTC but that requires AD username and password.</P><P></P><P></P><P>Thanks in advance</P></BODY></HTML> Mon, 05 Mar 2018 19:01:29 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487766#M511839 umahar 2018-03-05T19:01:29Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487767#M511840 <HTML><HEAD></HEAD><BODY><P>You are correct that ISE supports EAP-GTC with a RADIUS token server as the ID source.</P><P>1.a. Windows can use <SPAN style="text-decoration: line-through;">either native supplicant or</SPAN> AnyConnect</P><P>1.b. macOS native supplicant and Apple iOS are not specifying the inner method on the endpoints' side. We should be able to use ISE allowed protocols to influence EAP-GTC selected as the inner method.</P><P>1.c. My Google Nexus 5X running Android 8.1.0 test device has GTC as one of the options for Phase 2 auth. Thus, I believe newer Android devices likely all have such support.</P><P></P><P>2. Most token vendors have the options to either OTP alone or combining it with another password. Thus, I believe SafeNet has similar options.</P></BODY></HTML> Mon, 05 Mar 2018 21:16:23 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487767#M511840 hslai 2018-03-05T21:16:23Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487768#M511841 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>I'll test these options out in lab.</P><P></P><P>I also have another customer who uses RSA token for windows login. </P><P>Is it possible to use this RSA token for dot1x authentication in EAP-GTC like we do user authentication in Peap-Mschapv2 by selecting 'Use My Windows login' ?&nbsp; </P></BODY></HTML> Mon, 05 Mar 2018 22:30:15 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487768#M511841 umahar 2018-03-05T22:30:15Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487769#M511842 <HTML><HEAD></HEAD><BODY><P>After looking again, I am not finding the option to set token or EAP-GTC with Windows native supplicant. Sorry for my mistake. I must have been thinking of smart card.</P></BODY></HTML> Mon, 05 Mar 2018 23:48:33 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487769#M511842 hslai 2018-03-05T23:48:33Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487770#M511844 <HTML><HEAD></HEAD><BODY><P>Viktor did mention this briefly. </P><P>I think on Windows 10 this can be achieved natively by using EAP-TTLS.</P><P>We definitely need a guide or a doc as I see more customers looking for 2FA on dot1x. </P></BODY></HTML> Tue, 06 Mar 2018 15:27:28 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487770#M511844 umahar 2018-03-06T15:27:28Z https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487771#M511846 <HTML><HEAD></HEAD><BODY><P>When you got everything worked out, please contribute it as a doc to this community. Thanks a lot!</P></BODY></HTML> Fri, 09 Mar 2018 02:47:02 GMT https://community.cisco.com/t5/network-access-control/supplicant-settings-for-2factor-dot1x-authenitcation/m-p/3487771#M511846 hslai 2018-03-09T02:47:02Z