https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510293#M527148 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>Authorization policy is meant to send suitable privileges for network admins that includes TACACS+ profile and command sets.</P><P>In authorization policy you can also verify it the users are part of a certain group as in the case of AD.</P><P></P><P>Authentication policy is what you need to verify credentials.</P><P>If you need to authenticate different TACACS+ service(login vs enable), you can do it as Hsing pointed out above.</P><P></P><P>Hope it clarifies.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Wed, 30 Aug 2017 23:56:24 GMT kthiruve 2017-08-30T23:56:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510291#M527138 <HTML><HEAD></HEAD><BODY><P>Hello everybody ,</P><P></P><P>My customer would like the following scenario for Device Administration (TACAS):</P><P></P><P>Authentication is to take place via the RSA SecureID server (user name and RSA passcode).</P><P></P><P>The authorization is to be carried out via the ISE User Identity Store. </P><P>(User name and password or only the password)</P><P></P><P>At the moment you can register with user name and RSA passcode</P><P>And for an ENABLE on the network component will be renewed</P><P>the RSA passcode.</P><P></P><P>Here, however, the password from the ISE User Identity Store is to be queried.</P><P></P><P>Is there a suitable authorization policy to implement this scenario?</P><P></P><P>Geetings Mario</P></BODY></HTML> Wed, 30 Aug 2017 08:27:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510291#M527138 data-dynamic 2017-08-30T08:27:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510292#M527140 <HTML><HEAD></HEAD><BODY><P>I think you are asking about this feature -- Login Authentication and Enable Authorization Differentiation.</P><P></P><P>Given the usernames are the same in RSA and Internal Users, we may have the following:</P><P></P><TABLE border="1" cellpadding="0" cellspacing="0" height="99" style="width: 604px; height: 85px;"><THEAD><TR><TD colspan="3" style="border: inset 1.0pt; background: #CCCCCC; padding: .75pt .75pt .75pt .75pt;" width="504"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt;">Authentication Policy</SPAN></P></TD></TR></THEAD><TBODY><TR><TD style="border: none; border-left: inset 1.0pt; background: white; padding: 0 1.45pt 0 1.45pt;" valign="top" width="18"><DIV align="center"><TABLE border="1" cellpadding="0" cellspacing="0" style="background-color: #00b304; border: none;"><TBODY><TR><TD style="border: solid black 1.0pt;" valign="top" width="16"></TD></TR></TBODY></TABLE></DIV></TD><TD colspan="2" style="border: none; border-right: outset 1.0pt; background: white; padding: 0 1.45pt 0 2.9pt;" valign="top" width="486"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; background: #FFFFCC;">Enable Password</SPAN><SPAN style="font-size: 9.0pt;"> <SPAN style="color: #7f7f7f;">: </SPAN>If <SPAN style="background: #FFFFCC;">TACACS:Service EQUALS Enable</SPAN><SPAN style="color: #7f7f7f;"> Allow Protocols : </SPAN><SPAN style="background: #FFFFCC;">Default Device Admin</SPAN>&nbsp;&nbsp; <SPAN style="color: #7f7f7f;">and </SPAN></SPAN></P></TD></TR><TR><TD style="border-top: none; border-left: inset 1.0pt; border-bottom: outset 1.0pt; border-right: none; background: white; padding: 0 1.45pt 0 1.45pt;" valign="top" width="18"><P align="center" class="GoldTableText"></P></TD><TD style="border: none; border-bottom: outset 1.0pt; background: #00B050; padding: 0 1.45pt 0 2.9pt;" valign="top" width="18"><P></P></TD><TD style="border-top: none; border-left: none; border-bottom: outset 1.0pt; border-right: outset 1.0pt; background: white; padding: 0 5.4pt 0 5.4pt;" valign="top" width="468"><P class="GoldTableText">Default <SPAN style="color: #7f7f7f;">use:</SPAN> <SPAN style="background-color: #ffffcc;">Internal Users</SPAN></P></TD></TR><TR><TD style="border: inset 1.0pt; border-top: none; background: white; padding: 0 1.45pt 0 1.45pt;" valign="top" width="18"><TABLE border="1" cellpadding="0" cellspacing="0" style="background-color: #00b304; border: none;"><TBODY><TR><TD style="border: solid black 1.0pt;" valign="top" width="16"></TD></TR></TBODY></TABLE></TD><TD colspan="2" style="border-top: none; border-left: none; border-bottom: inset 1.0pt; border-right: inset 1.0pt; background: white; padding: 0 1.45pt 0 2.9pt;" valign="top" width="486"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt;">Default Rule (if no match) : Allow Protocols : Default Device Admin&nbsp;&nbsp; and use: <SPAN style="background-color: #ffffcc;">RSA</SPAN></SPAN></P></TD></TR></TBODY></TABLE></BODY></HTML> Wed, 30 Aug 2017 15:56:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510292#M527140 hslai 2017-08-30T15:56:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510293#M527148 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>Authorization policy is meant to send suitable privileges for network admins that includes TACACS+ profile and command sets.</P><P>In authorization policy you can also verify it the users are part of a certain group as in the case of AD.</P><P></P><P>Authentication policy is what you need to verify credentials.</P><P>If you need to authenticate different TACACS+ service(login vs enable), you can do it as Hsing pointed out above.</P><P></P><P>Hope it clarifies.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Wed, 30 Aug 2017 23:56:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510293#M527148 kthiruve 2017-08-30T23:56:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510294#M527155 <HTML><HEAD></HEAD><BODY><P>Hello hslai,</P><P></P><P>Thanks for the answer. </P><P></P><P>I will test it and report back with the results.</P><P></P><P>Greeting Mario</P></BODY></HTML> Thu, 31 Aug 2017 08:41:03 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510294#M527155 data-dynamic 2017-08-31T08:41:03Z https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510295#M527161 <HTML><HEAD></HEAD><BODY><P>Hello Krishnan , </P><P></P><P>Thanks for the answer. </P><P></P><P>Greeting Mario</P></BODY></HTML> Thu, 31 Aug 2017 08:41:18 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-two-factor-authentication-authorisation-with-different/m-p/3510295#M527161 data-dynamic 2017-08-31T08:41:18Z