https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526439#M518717 <HTML><HEAD></HEAD><BODY><P>ISE does single authentications, other than EAP Chaining and CWA Chaining. However, a single authentication can be done with a multi-factor software/device. If not done already, I would suggest you to read:</P><UL><LI><A class="jive-link-external-small" href="https://blog.aniljohn.com/2014/11/why-multi-factor-and-two-factor-authentication-not-same.html" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank">Why Multi-Factor and Two-Factor Authentication May Not Be the Same</A></LI><LI><A class="jive-link-external-small" href="https://pages.nist.gov/800-63-3/sp800-63b.html" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank">SP 800-63B</A> (esp. <A class="jive-link-external-small" href="https://pages.nist.gov/800-63-3/sp800-63b.html#sec4" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank"><SPAN style="font-style: inherit; font-family: inherit; color: #58585b;">4. Authenticator Assurance Levels</SPAN></A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><UL><LI style="margin-top: 0.5ex; margin-bottom: 0.5ex; font-style: inherit; font-family: inherit; list-style-type: inherit;">Multi-Factor OTP by itself can achieve AAL2.</LI></UL></LI></UL></BODY></HTML> Thu, 11 Jan 2018 00:26:57 GMT hslai 2018-01-11T00:26:57Z https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526437#M518715 <HTML><HEAD></HEAD><BODY><P>Hello Team,</P><P></P><P>I had a query on two factor authentication on LAN, can this be achievable on LAN. The requirement is to have the following-</P><P></P><P>- When the user connects his laptop on LAN, he should authenticate using his domain login and he should be prompted for a second factor before he is allowed access to the LAN.</P><P>- What is the licensing requirement to achieve this?</P><P>- Is there a limitation on the switch capability for this? Any particular variant only that supports this?</P><P></P><P>Regards,</P><P>Vikram</P></BODY></HTML> Wed, 10 Jan 2018 10:20:55 GMT https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526437#M518715 vgoda 2018-01-10T10:20:55Z https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526438#M518716 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>1st Domain machine + certificate on machine</P><P></P><P>2nd Domain user + certificate on user(or username or password)</P><P>This will be simple dot1x authentication.\</P><P>You can check this <A href="https://community.cisco.com/docs/DOC-71528">Two Factor Authentication on ISE – 2FA on ISE</A></P></BODY></HTML> Wed, 10 Jan 2018 10:42:33 GMT https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526438#M518716 ognyan.totev 2018-01-10T10:42:33Z https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526439#M518717 <HTML><HEAD></HEAD><BODY><P>ISE does single authentications, other than EAP Chaining and CWA Chaining. However, a single authentication can be done with a multi-factor software/device. If not done already, I would suggest you to read:</P><UL><LI><A class="jive-link-external-small" href="https://blog.aniljohn.com/2014/11/why-multi-factor-and-two-factor-authentication-not-same.html" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank">Why Multi-Factor and Two-Factor Authentication May Not Be the Same</A></LI><LI><A class="jive-link-external-small" href="https://pages.nist.gov/800-63-3/sp800-63b.html" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank">SP 800-63B</A> (esp. <A class="jive-link-external-small" href="https://pages.nist.gov/800-63-3/sp800-63b.html#sec4" rel="nofollow" style="font-style: inherit; font-family: inherit; color: #0a63a7;" target="_blank"><SPAN style="font-style: inherit; font-family: inherit; color: #58585b;">4. Authenticator Assurance Levels</SPAN></A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><UL><LI style="margin-top: 0.5ex; margin-bottom: 0.5ex; font-style: inherit; font-family: inherit; list-style-type: inherit;">Multi-Factor OTP by itself can achieve AAL2.</LI></UL></LI></UL></BODY></HTML> Thu, 11 Jan 2018 00:26:57 GMT https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526439#M518717 hslai 2018-01-11T00:26:57Z https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526440#M518718 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>As already discussed on your internal post...</P><P></P><P><SPAN style="font-size: 11.0pt; color: #1f497d;">Yes, this is achievable in many different ways.&nbsp;&nbsp;&nbsp; Here a pointer to a particular session (<A href="https://www.ciscolive.com/global/on-demand-library/?search=brksec-3697#/session/1475057171505001duty">BRKSEC-3697</A> from Melbourne 2017) which touches on various methods to achieve multiple identity auth.&nbsp; Also, OTP is supported for 802.1X and WebAuth to allow Token servers like RSA to be used as the ID store. </SPAN></P><P></P><P>Craig</P></BODY></HTML> Thu, 11 Jan 2018 07:10:42 GMT https://community.cisco.com/t5/network-access-control/two-factor-authentication-on-lan/m-p/3526440#M518718 Craig Hyps 2018-01-11T07:10:42Z