https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520646#M538309 <HTML><HEAD></HEAD><BODY><P>In the <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/admin_admin.html"><STRONG>User Guide for Cisco Secure Access Control System 5.8</STRONG></A> is a section <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/admin_admin.html#pgfId-1144681"><STRONG>Authenticating Administrators against RSA SecurID Server</STRONG></A> which should explain how to do with with an OTP/token server such as an RSA server. See the <A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/device_support/sdt58.html" onclick="" rel="nofollow" target="_blank"><STRONG>Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.8 </STRONG></A> for <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/device_support/sdt58.html#pgfId-75017"><STRONG>Supported External Identity Stores</STRONG></A>.</P><P></P><P>ISE has the same capability. Please read the <A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.html" onclick="" rel="nofollow" target="_blank"><STRONG>Cisco Identity Services Engine Administrator Guide, Release 2.1 </STRONG></A>section for <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0101.html#concept_7642DD36C0DD424CA423615BF013D0B9"><STRONG>Administrative Access to Cisco ISE</STRONG></A> and specifically&nbsp; <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0101.html#ID766"><STRONG>Administrative Access to Cisco ISE Using an External Identity Store</STRONG></A>.</P></BODY></HTML> Fri, 08 Jul 2016 22:26:38 GMT thomas 2016-07-08T22:26:38Z https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520645#M538307 <HTML><HEAD></HEAD><BODY><P>A customer has multiple ASAs set up mulit context. They would like to use 2 Factor authentication for admin access control, and have tried unsuccesfully with ACS.</P><P></P><P>Would this be possible using ISE with the Device Administration License?</P><P></P><P>From the customer for more color:</P><P>We’ve tried it with ACS, and it’s not supported that way either. I think the challenge from what I see in the logs is that there is a reauthentication that occurs every time you switch contexts. That wouldn’t work with SecurID which acts as an OTP.</P></BODY></HTML> Fri, 08 Jul 2016 16:30:34 GMT https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520645#M538307 Jonathan Van Vuren 2016-07-08T16:30:34Z https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520646#M538309 <HTML><HEAD></HEAD><BODY><P>In the <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/admin_admin.html"><STRONG>User Guide for Cisco Secure Access Control System 5.8</STRONG></A> is a section <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/user/guide/acsuserguide/admin_admin.html#pgfId-1144681"><STRONG>Authenticating Administrators against RSA SecurID Server</STRONG></A> which should explain how to do with with an OTP/token server such as an RSA server. See the <A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/device_support/sdt58.html" onclick="" rel="nofollow" target="_blank"><STRONG>Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.8 </STRONG></A> for <A href="http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/device_support/sdt58.html#pgfId-75017"><STRONG>Supported External Identity Stores</STRONG></A>.</P><P></P><P>ISE has the same capability. Please read the <A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21.html" onclick="" rel="nofollow" target="_blank"><STRONG>Cisco Identity Services Engine Administrator Guide, Release 2.1 </STRONG></A>section for <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0101.html#concept_7642DD36C0DD424CA423615BF013D0B9"><STRONG>Administrative Access to Cisco ISE</STRONG></A> and specifically&nbsp; <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0101.html#ID766"><STRONG>Administrative Access to Cisco ISE Using an External Identity Store</STRONG></A>.</P></BODY></HTML> Fri, 08 Jul 2016 22:26:38 GMT https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520646#M538309 thomas 2016-07-08T22:26:38Z https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520647#M538311 <HTML><HEAD></HEAD><BODY><P>Starting with version 5.5, ACS has the ability to cache the passcode for up to 5 minutes without going back to the RSA server. It will introduce a security hole, but will give you the ability to switch contexts without re-prompts, at least for 5 minutes.</P><P>ISE does not have this feature yet.</P></BODY></HTML> Sat, 09 Jul 2016 00:22:57 GMT https://community.cisco.com/t5/network-access-control/2-factor-authentication-for-administration-on-asa/m-p/3520647#M538311 vibobrov 2016-07-09T00:22:57Z