https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131340#M562151 <P>Hi Guys, I want my ISE Device Admin to be in 2FA (AD username + passcode). I know that ISE can only authenticate to one external ID store at a time so what I am going to do is to integrate my 2FA server (since my 2FA is integrated already to AD). My question now is, which of these options should I use?</P><P>1. External RADIUS Server (under the Network Resources category)</P><P>2. RADIUS Token (under the External ID Sources) - this is the existing setup but I noticed I need to configure a username stored locally in ISE DB in which I don't want. I want to leverage the integration of my 2FA and AD.</P><P>3. RSA SecurID (under the External ID Sources)</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Aug 2020 10:27:08 GMT fatalXerror 2020-08-06T10:27:08Z https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131340#M562151 <P>Hi Guys, I want my ISE Device Admin to be in 2FA (AD username + passcode). I know that ISE can only authenticate to one external ID store at a time so what I am going to do is to integrate my 2FA server (since my 2FA is integrated already to AD). My question now is, which of these options should I use?</P><P>1. External RADIUS Server (under the Network Resources category)</P><P>2. RADIUS Token (under the External ID Sources) - this is the existing setup but I noticed I need to configure a username stored locally in ISE DB in which I don't want. I want to leverage the integration of my 2FA and AD.</P><P>3. RSA SecurID (under the External ID Sources)</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Aug 2020 10:27:08 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131340#M562151 fatalXerror 2020-08-06T10:27:08Z https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131579#M562166 <P>Hi</P> <P>&nbsp;</P> <P>I personally don't know the rsa solution. When using Duo, I use Radius token and replied to a previous post with same requirements (<A href="https://community.cisco.com/t5/network-access-control/tacacs-authentication-with-a-proxy-radius-and-local/td-p/4088804" target="_blank">https://community.cisco.com/t5/network-access-control/tacacs-authentication-with-a-proxy-radius-and-local/td-p/4088804</A>)</P> <P>&nbsp;</P> <P>Doing a quick search on this forum, you can use Radius Token and external 2FA for RSA. See the following links (2nd link include an official guide from RSA):</P> <P><A href="https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-with-rsa-securid-and-ad-integration/td-p/3441295" target="_blank">https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-with-rsa-securid-and-ad-integration/td-p/3441295</A></P> <P><A href="https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120" target="_blank">https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120</A></P> <P>&nbsp;</P> Thu, 06 Aug 2020 17:42:16 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131579#M562166 Francesco Molino 2020-08-06T17:42:16Z https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131584#M562167 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/321306">@Francesco Molino</a>,</P><P>Thanks for your feedback, I'll check it out.</P><P>But I am just wondering what are the difference between those different ways to integrate RADIUS server?</P><P>Thaks</P> Thu, 06 Aug 2020 17:53:13 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131584#M562167 fatalXerror 2020-08-06T17:53:13Z https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131614#M562170 The external identity source called RSA SecurID is a specific integration between ISE and RSA. Radius Token is an external server communicating through radius protocol. In this last case, ISE act as a proxy Radius and gets infos regarding authentication from another radius for example. Thu, 06 Aug 2020 18:38:03 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4131614#M562170 Francesco Molino 2020-08-06T18:38:03Z https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4134152#M562287 <P>Did you look at the <A href="https://community.rsa.com/docs/DOC-99979" target="_self">Cisco ISE - RSA&nbsp;SecurID&nbsp;Access Implementation Guide</A> ?</P> Tue, 11 Aug 2020 21:45:24 GMT https://community.cisco.com/t5/network-access-control/ise-device-admin-with-2fa/m-p/4134152#M562287 thomas 2020-08-11T21:45:24Z