topic Re: Cisco ISE TACACS+ with RSA Securid and AD integration in Network Access Control

Cisco ISE TACACS+ with RSA Securid and AD integration

Nathan Falcon — Wed, 21 Feb 2018 21:15:43 GMT

We'd like to control device TACACS authorization with AD Users and Groups while using RSA tokens for authentication. Does ISE support the ability to support the combination of AD Username and RSA Token passcode when using TACACS?

ex:

1) Login to the network device and prompted for username

2) Username: <AD user>

3) Password: <RSA Passcode>

Authorize user based on assigned AD Group.

Re: Cisco ISE TACACS+ with RSA Securid and AD integration

Nidhi — Thu, 22 Feb 2018 03:52:02 GMT

This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

You can also do AD+OTP authentication by integrating the token server with AD

Thanks,

Nidhi

Re: Cisco ISE TACACS+ with RSA Securid and AD integration

west33637 — Wed, 26 Sep 2018 20:35:25 GMT

Hello Nathan. How does this work? ISE will need to have the RSA AM configured as an external identity source in the authentication policy. where will ISE get the AD group info of the authenticating user in order to configure authorization policies against?

Does the RSA pass AD group information to ISE for the purpose of authorization?

Re: Cisco ISE TACACS+ with RSA Securid and AD integration

mmisonne — Thu, 05 Nov 2020 11:46:03 GMT

Hello
I want to know the answer :"Does the RSA pass AD group information to ISE for the purpose of authorization"
Because I have a problem with autorization .
Authentication pass with RSA , but Authorization fail with : "subject not found in applicable Identity store""
( Logs on RSA server says: Authentication method success)
So the question is: Does the ISE makes an AD access to verify the AD-group of the user , or does ISE uses the answer of the RSA to match the user to the AD-Group. ?

Michel

Re: Cisco ISE TACACS+ with RSA Securid and AD integration

paul — Thu, 05 Nov 2020 13:19:13 GMT

You need to turn in identity caching under your RSA definition.

Re: Cisco ISE TACACS+ with RSA Securid and AD integration

mmisonne — Fri, 06 Nov 2020 09:19:12 GMT

Hello Paul

Great..! You directly found the solution.
In fact , this parameter "identity caching" is new. It doesn't exist with version 2.2. So doing a migration cause the problem, because it is not checked during the upgrade !.

So I resume: When the pb is : RSA Autorisation fail but RSA Authentication pass, and if you find in the autorisation step the line
   15013 Selected Identity Source - RSA SecurID
   24558 User cache is not enabled in the RSA identity store configuration - RSA SecurID
   22016 Identity sequence completed iterating the IDStores
   22056 Subject not found in the applicable identity store(s)
The solution is to enable "Identity caching": in
External id source: RSA secureID > tab Authentication Control:

Many thanks for your help !!