https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450394#M512719 <HTML><HEAD></HEAD><BODY><P>The chaining options are not true MFA.&nbsp; MFA typically refers to multiple factors (such as something you have, something you know, something you are) being used for a specific identity.&nbsp; The chaining options are separate, discreet auth events, but combined together to provide a single access policy decision.&nbsp; This is similar to the ASA double authentication feature.&nbsp; It is not MFA in pure sense.&nbsp; That said, you need to decide what is the outcome you are trying to achieve. </P><P></P><P>We do not have any special integration with DUO, although I have received reports of successful integration with ISE.&nbsp; DUO is more of a true MFA type function which can work outside ISE, but may have the needed hooks via RADIUS, LDAP, or other integration into web auth flow.</P></BODY></HTML> Tue, 13 Mar 2018 14:20:03 GMT Craig Hyps 2018-03-13T14:20:03Z https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450391#M512716 <HTML><HEAD></HEAD><BODY><P>Can ISE be configured to create a two-factor authentication protocol without the use of an external identity source like an RSA token? Or at least can it be configured to work with other Cisco products in a way that acts as two-factor authentication like in conjunction with Anyconnect? </P></BODY></HTML> Mon, 12 Mar 2018 18:38:14 GMT https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450391#M512716 mweintraub 2018-03-12T18:38:14Z https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450392#M512717 <HTML><HEAD></HEAD><BODY><P>Suggest review this session from Cisco Live 2017: <A href="https://www.ciscolive.com/global/on-demand-library/?search=brksec-3697#/session/1475057171505001duty" title="https://www.ciscolive.com/global/on-demand-library/?search=brksec-3697#/session/1475057171505001duty">On-Demand Library - Cisco Live Global Events</A>&nbsp; (see Reference presentation).</P><P></P><P>Specific OTP, that is something requires integration with external RSA/RADIUS-based token server, as ISE is not a OTP server.&nbsp; Some examples that may address the customer goal (and not all technically qualify as pure MFA) include EAP Chaining, CWA Chaining, EZC Chaining, Machine Access Restrictions (MAR).&nbsp; Some methods are NAD based (for example, ASA can perform double auth), or are client based (for example, biometric reader or PIN to unluck credentials/certificate).&nbsp; The session I cite above also gets into the options to handle the device + user auth, which is not MFA, but multiple identity auth.</P><P></P><P>Craig</P></BODY></HTML> Mon, 12 Mar 2018 20:57:49 GMT https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450392#M512717 Craig Hyps 2018-03-12T20:57:49Z https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450393#M512718 <HTML><HEAD></HEAD><BODY><P>so it is not a problem to implement MFA (lets say DUO) with dot1x for user auth? do I need to use some xy chaining? thank you</P></BODY></HTML> Tue, 13 Mar 2018 12:27:42 GMT https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450393#M512718 peter.matuska1 2018-03-13T12:27:42Z https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450394#M512719 <HTML><HEAD></HEAD><BODY><P>The chaining options are not true MFA.&nbsp; MFA typically refers to multiple factors (such as something you have, something you know, something you are) being used for a specific identity.&nbsp; The chaining options are separate, discreet auth events, but combined together to provide a single access policy decision.&nbsp; This is similar to the ASA double authentication feature.&nbsp; It is not MFA in pure sense.&nbsp; That said, you need to decide what is the outcome you are trying to achieve. </P><P></P><P>We do not have any special integration with DUO, although I have received reports of successful integration with ISE.&nbsp; DUO is more of a true MFA type function which can work outside ISE, but may have the needed hooks via RADIUS, LDAP, or other integration into web auth flow.</P></BODY></HTML> Tue, 13 Mar 2018 14:20:03 GMT https://community.cisco.com/t5/network-access-control/ise-as-two-factor-authentication-tool/m-p/3450394#M512719 Craig Hyps 2018-03-13T14:20:03Z