https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569372#M517830 <HTML><HEAD></HEAD><BODY><P>1. The link is pointing to the RSA implementation guide. I had already seen this document earlier. It explains the two ways of configuring the integration with ISE but not what are the differences. To rephrase my question, what are the benefits (if any) of integrating the server as a RSA Identity Sources instead of RADIUS Token Identity Sources ?</P><P></P><P>2. I'm pretty familiar with the different EAP types and the different authentications method. The question is what is the difference in NAM behavior when you configure "Authenticate using a password" with EAP GTC and "Authenticate using a token and EAP-GTC". That sounds like two redundant options.</P><P>Why do we have the choice for the last option? The token could also be considered as a password (yes it is changing every time but that is transparent for NAM)</P></BODY></HTML> Wed, 14 Feb 2018 21:08:03 GMT jdal 2018-02-14T21:08:03Z https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569370#M517828 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Two questions regarding RSA integration:</P><P></P><P>1) In ISE, there are two way of integrating to the RSA server, either by using Native SecurID protocol or RADIUS protocol.</P><P>In my customer, the ISE admins couldn't get a sdconf.rec from the RSA admins so they have configured the integration via the RADIUS protocol. Is there any drawbacks?</P><P></P><P>2) They are actually planning to use OTP as an inner method of EAP-FAST.</P><P>In this case, it looks like we can configure it in two different ways, what is the difference between a "password" and a "token"?</P><P><IMG alt="Screen Shot 2018-02-14 at 17.38.29.png" class="image-1 jive-image" src="/legacyfs/online/fusion/115227_Screen Shot 2018-02-14 at 17.38.29.png" style="height: 258px; width: 620px;" /></P><P>Thanks</P></BODY></HTML> Wed, 14 Feb 2018 16:43:58 GMT https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569370#M517828 jdal 2018-02-14T16:43:58Z https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569371#M517829 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For 1, please check Oncampus RSA authentication section in</P><P><A href="https://community.cisco.com/docs/DOC-71528">Two Factor Authentication on ISE – 2FA on ISE</A></P><P></P><P>For 2, Usually inner-methods such as MSCHAP use passwords that doesn't change unless there is a expiry period.</P><P>OTP is a one time password mechanism to support variety of servers such as OTP servers, RADIUS servers etc, idea is to generate one time password using a token which is different everytime you authenticate. EAP-GTC is an inner eap method supporting this.</P><P></P><P>Hope it helps.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Wed, 14 Feb 2018 20:49:19 GMT https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569371#M517829 kthiruve 2018-02-14T20:49:19Z https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569372#M517830 <HTML><HEAD></HEAD><BODY><P>1. The link is pointing to the RSA implementation guide. I had already seen this document earlier. It explains the two ways of configuring the integration with ISE but not what are the differences. To rephrase my question, what are the benefits (if any) of integrating the server as a RSA Identity Sources instead of RADIUS Token Identity Sources ?</P><P></P><P>2. I'm pretty familiar with the different EAP types and the different authentications method. The question is what is the difference in NAM behavior when you configure "Authenticate using a password" with EAP GTC and "Authenticate using a token and EAP-GTC". That sounds like two redundant options.</P><P>Why do we have the choice for the last option? The token could also be considered as a password (yes it is changing every time but that is transparent for NAM)</P></BODY></HTML> Wed, 14 Feb 2018 21:08:03 GMT https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569372#M517830 jdal 2018-02-14T21:08:03Z https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569373#M517831 <HTML><HEAD></HEAD><BODY><P><A href="https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html#ID-1424-00000202" style="font-family: inherit; font-size: inherit; font-style: inherit; color: #6f53bc;">AnyConnect Admin Guide on NAM EAP-GTC</A><SPAN style="font-size: 10pt;"> says,</SPAN></P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD> <P style="margin-top: 6px; margin-bottom: 6px; font-family: CiscoSans, Arial, sans-serif; font-size: 14px; color: #58585b;"><EM>Neither the Network Access Manager, the authenticator, nor the EAP-GTC protocol can distinguish between password and token code. These options impact only the credential’s lifetime within the Network Access Manager. While a password can be remembered until logout or longer, the token code cannot (because the user is prompted for the token code with every authentication). </EM></P> </TD></TR></TBODY></TABLE></BLOCKQUOTE></BODY></HTML> Wed, 14 Feb 2018 21:48:40 GMT https://community.cisco.com/t5/network-access-control/ise-integration-with-rsa/m-p/3569373#M517831 hslai 2018-02-14T21:48:40Z