topic Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA) in Network Access Control

ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

Davesh.Borasi — Wed, 27 Sep 2017 12:01:11 GMT

Hi,

We are currently researching on integrating ISE with Safenet / RSA for Device Administration and two factor authentication. Below is the sample flow of what we expect to test. Can you confirm if ISE supports this type of deployment

R1 is configured for TACACS to go ISE.

Administrator to SSH on R1

1) Authenticate with AD credential

2) After user validated using AD, 2FA OTP / Passcode using Safenet Radius will happen.

Regards,

Davesh

Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

hslai — Wed, 27 Sep 2017 15:47:42 GMT

Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store shows what ISE is supporting today.

If needing it supported in one single login authentication, the best I can think of is that some RADIUS OTP vendors also connecting to AD/LDAP so they would accept AD+OTP together.

Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

paul — Wed, 27 Sep 2017 16:56:29 GMT

In addition to what Hsing said I would also ask what is the point of doing the AD authentication when you have 2FA implemented? You can involve AD authorization without asking them for their credentials. So the authentication phase can simply be ISE sending the RADIUS call to Safenet. The authorization phase can be an AD group check, check to verify their AD account is still enabled, etc.

Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

Davesh.Borasi — Thu, 28 Sep 2017 09:49:14 GMT

Hi,

Thanks for the info. I further checked and found that 2FA (RSA/Safenet etc..) shall do AD+OTP authentication and then using ISE we can perform the authorization for limiting device access privileges. The 2FA needs to be completed in a single Radius Request which might not happen with above scenario presented and would further complicate the setup.

So I believe the optiomal flow would be when Admin SSH to R1

1) R1 sends TACACS Request to ISE for validation

2) ISE checks the authentication profile to go to 2FA (RSA or Safenet) using Radius Service

3) RSA/Safenet perform the AD + OTP check (2FA)

4) Upon Access_Accept, ISE applies the authorization profiles for access restrictions.

Best Regards,

Davesh

Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

paul — Thu, 28 Sep 2017 16:50:26 GMT

That should work perfectly. Let 2FA server run the whole authentication process proxied through ISE and have just do authorization.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Re: ISE 2.3 - TACACS Device Administration with 2FA (Safenet / RSA)

Mountain Man — Thu, 15 Feb 2018 18:23:11 GMT

Have tested using DUO with ISE2.3 and ACS 5.6 for network device access using 2FA. Here are the steps for your reference:

Setup DUO proxy server and add ISE IPs as DUO proxy clients
In ISE, add DUO as a RADIUS Token in Administration > Identity Management > External Identity Sources.
Change Server Timeout value to 30 (or other appropriate value) seconds from default to relax user input timeout under Connection tab, make sure you have the correct DUO proxy server IP address and Shared Secret value entered there. Add the secondary server info if you have HA setup for the DUO proxy servers
Add network admins under Identities > Users and Create an Identity group, such as Net Admin; add all network admin users you created under Identities to the group. Note: make sure that the user you added in pick DUO as the Password Type under Passwords
Create a policy set for network admin access with condition DEVICE: Network Device Profile EQUALS: Cisco, where Cisco includes all your Cisco network devices and this just an example for Cisco. Note: Make sure that you put the new policy set at the bottom of Policy sets if you have multiple policy sets, such as VPN clients, wireless clients, and so on since you do not want to use the same admin user names as other user names, such as AD domain user name.
- Authentication Policy: set protocol match condition equal to Radius
- Authorization Policy: set Identity group equal to network admin group which you have created above
Configure Cisco device AAA section
- Create a Radius server group and add ISE servers under that group
- Configure authentication login default group using radius with optional local after radius failed
- Configure authorization commands default group using tacacs+ assuming you already have this group with ACS IPs configured.

Test it out and enjoy it