https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443715#M539325 <HTML><HEAD></HEAD><BODY><P>ISE experts,</P><P></P><P>My customer is using ISE for TACACS and would like to enable two factor authentication.</P><P></P><P>They currently have their two factor authentication server configured as an external identity store which works as expected.&nbsp; Problem is, when ISE sends the request to the RADIUS token server for authentication, it sends the AD username/password along with the token.&nbsp; If an admin with access to the RADIUS token server runs a debug, they can see the user’s active directory password which they want to avoid.</P><P></P><P>Question – Is it possible for ISE to separate the authentication request?&nbsp; Something like this:</P><OL style="list-style-type: decimal;"><LI>Supplicant sends credentials to ISE to authenticate against AD.</LI><LI>If AD credentials pass, supplicant sends the token to ISE to authenticate against RADIUS token server.</LI><LI>If pass, proceed to authorization policies.</LI></OL><P></P><P>Or alternative:</P><OL style="list-style-type: decimal;"><LI>Supplicant sends AD credentials and token to ISE for authentication.</LI><LI>ISE authenticates credentials against AD and sends the token only to the RADIUS token server.</LI><LI>If it passes, then proceed to authorization policies.</LI></OL><P></P><P>Thanks for your help!</P></BODY></HTML> Sat, 26 Mar 2016 00:44:37 GMT Phi Yim 2016-03-26T00:44:37Z https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443715#M539325 <HTML><HEAD></HEAD><BODY><P>ISE experts,</P><P></P><P>My customer is using ISE for TACACS and would like to enable two factor authentication.</P><P></P><P>They currently have their two factor authentication server configured as an external identity store which works as expected.&nbsp; Problem is, when ISE sends the request to the RADIUS token server for authentication, it sends the AD username/password along with the token.&nbsp; If an admin with access to the RADIUS token server runs a debug, they can see the user’s active directory password which they want to avoid.</P><P></P><P>Question – Is it possible for ISE to separate the authentication request?&nbsp; Something like this:</P><OL style="list-style-type: decimal;"><LI>Supplicant sends credentials to ISE to authenticate against AD.</LI><LI>If AD credentials pass, supplicant sends the token to ISE to authenticate against RADIUS token server.</LI><LI>If pass, proceed to authorization policies.</LI></OL><P></P><P>Or alternative:</P><OL style="list-style-type: decimal;"><LI>Supplicant sends AD credentials and token to ISE for authentication.</LI><LI>ISE authenticates credentials against AD and sends the token only to the RADIUS token server.</LI><LI>If it passes, then proceed to authorization policies.</LI></OL><P></P><P>Thanks for your help!</P></BODY></HTML> Sat, 26 Mar 2016 00:44:37 GMT https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443715#M539325 Phi Yim 2016-03-26T00:44:37Z https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443716#M539327 <HTML><HEAD></HEAD><BODY><P>Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.</P><P></P><P>What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.</P></BODY></HTML> Sat, 26 Mar 2016 04:04:52 GMT https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443716#M539327 hslai 2016-03-26T04:04:52Z https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443717#M539328 <HTML><HEAD></HEAD><BODY><P>Also it is common to use different ID stores for login and enable, by using the TACACS dictionary.</P><P>Please see that is an option for your customers.</P></BODY></HTML> Sat, 26 Mar 2016 18:55:44 GMT https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443717#M539328 hslai 2016-03-26T18:55:44Z https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443718#M539330 <HTML><HEAD></HEAD><BODY><P>Thanks for getting back to me.&nbsp; If we use different ID stores for login and enable, the problem still exist if the customer chooses two factor for enable right?</P></BODY></HTML> Mon, 28 Mar 2016 21:32:18 GMT https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443718#M539330 Phi Yim 2016-03-28T21:32:18Z https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443719#M539332 <HTML><HEAD></HEAD><BODY><P>Yep, if customers choose it that way.</P><P></P><P>IMHO It's essential two factors with one ID store for login and another for enable so customers need not send AD credentials to OTP. Anyhow, it's up to the customers.</P></BODY></HTML> Mon, 28 Mar 2016 21:44:16 GMT https://community.cisco.com/t5/network-access-control/ise-external-identity-store-two-factor-request-passes-token-and/m-p/3443719#M539332 hslai 2016-03-28T21:44:16Z