https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511071#M571334 <P><FONT face="tahoma,arial,helvetica,sans-serif">Is there anyway that the guest access can be configured using a dual factor authentication?</FONT></P> <P>&nbsp;- what is the use case here, Guest itself different user and it required different access to go to internet, guest do not have any Local resource access, but with SMS can be possible you need integrate with your Portal.</P> <P><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Or MAB based authentication using dual factor authentication?</FONT></P> <P>&nbsp;- what devices these are ?&nbsp; smart phones ? or dumb devices can not be input any data like medical devices or industrial devices.</P> <P><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Is dual factor authentication possible using the base licenses?</FONT></P> <P><FONT face="tahoma,arial,helvetica,sans-serif">&nbsp;-&nbsp; Look at below what feature support each License : (ISE License Model and Features)</FONT></P> <P>&nbsp;</P> <P><FONT face="tahoma,arial,helvetica,sans-serif"><A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#7Licensemanagement" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#7Licensemanagement</A></FONT></P> Wed, 01 Dec 2021 09:28:05 GMT balaji.bandi 2021-12-01T09:28:05Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511028#M571333 <P><FONT face="tahoma,arial,helvetica,sans-serif">Hi Experts,</FONT></P><P><FONT face="tahoma,arial,helvetica,sans-serif">Is there anyway that the guest access can be configured using a dual factor authentication?</FONT><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Or MAB based authentication using dual factor authentication?</FONT><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Is dual factor authentication possible using the base licenses?</FONT></P><P><FONT face="tahoma,arial,helvetica,sans-serif">Any pointers appreciated.</FONT></P> Wed, 01 Dec 2021 07:19:34 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511028#M571333 dgaikwad 2021-12-01T07:19:34Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511071#M571334 <P><FONT face="tahoma,arial,helvetica,sans-serif">Is there anyway that the guest access can be configured using a dual factor authentication?</FONT></P> <P>&nbsp;- what is the use case here, Guest itself different user and it required different access to go to internet, guest do not have any Local resource access, but with SMS can be possible you need integrate with your Portal.</P> <P><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Or MAB based authentication using dual factor authentication?</FONT></P> <P>&nbsp;- what devices these are ?&nbsp; smart phones ? or dumb devices can not be input any data like medical devices or industrial devices.</P> <P><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Is dual factor authentication possible using the base licenses?</FONT></P> <P><FONT face="tahoma,arial,helvetica,sans-serif">&nbsp;-&nbsp; Look at below what feature support each License : (ISE License Model and Features)</FONT></P> <P>&nbsp;</P> <P><FONT face="tahoma,arial,helvetica,sans-serif"><A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#7Licensemanagement" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#7Licensemanagement</A></FONT></P> Wed, 01 Dec 2021 09:28:05 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511071#M571334 balaji.bandi 2021-12-01T09:28:05Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511104#M571336 <P><SPAN>- what is the use case here, Guest itself different user and it required different access to go to internet, guest do not have any Local resource access, but with SMS can be possible you need integrate with your Portal.<BR /></SPAN><FONT face="tahoma,arial,helvetica,sans-serif">A: These are some of the devices that the internal users or the corporate users bring and would need access to internal network.</FONT><BR /><BR /></P><P>- what devices these are ?&nbsp; smart phones ? or dumb devices can not be input any data like medical devices or industrial devices.<BR /><FONT face="tahoma,arial,helvetica,sans-serif">A: Laptops, smart phones and tablets, connecting to the wireless network, where in the users use their own machines to work and access the company network and its resources. Kind of BYOD.</FONT><BR /><BR /><SPAN>-&nbsp; Look at below what feature support each License : (ISE License Model and Features<BR /></SPAN><FONT face="tahoma,arial,helvetica,sans-serif">A: Seems that there would be a need to upgrade the license for the feature that we are looking for.</FONT></P> Wed, 01 Dec 2021 10:21:19 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4511104#M571336 dgaikwad 2021-12-01T10:21:19Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4513193#M571440 <P>You are not describing a <STRONG>Guest</STRONG> scenario. "Guests" should <EM>never</EM> be required to use MFA since that is too much effort for the guest and potential support overhead for you.</P> <P>Internal / corporate users bringing in devices for access to the internal corporate network is considered <STRONG>BYOD</STRONG> and are generally managed with MDM software to ensure they are 1) secure and 2) provisioned with network access profiles (SSIDs, certificates, etc.) for secure connections. You don't do this for Guests with open/unsecured Guest networks.</P> <P>&nbsp;</P> <P>See <A href="https://cs.co/ise-licensing" target="_blank">https://cs.co/ise-licensing</A> for ISE Licensing scenarios.</P> <P>Basic authentication with MFA uses an ISE Base or Essentials. MDM would be Apex/Premier licensing.</P> <P>&nbsp;</P> Sat, 04 Dec 2021 20:26:20 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4513193#M571440 thomas 2021-12-04T20:26:20Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4513265#M571458 <P><FONT face="tahoma,arial,helvetica,sans-serif">Here is the scenario, currently only base licenses are available for use and not in position to procure new ilcensing for the advance use cases.</FONT><BR /><FONT face="tahoma,arial,helvetica,sans-serif">The other thing is that the company has a policy of allowing users to allow access to network using devices of their choice, using the AD credentials.</FONT><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Cannot using profiling or BYOD, because of the license upgrade involved. Or even cannot certificate authentication, as CA infrastructure is not available and setup will take quite a time.</FONT></P><P><FONT face="tahoma,arial,helvetica,sans-serif">Now, there have been incidents of password sharing, thus to curb this and allow only devices of the users to login thinking of MFA.</FONT><BR /><FONT face="tahoma,arial,helvetica,sans-serif">Or somehow use MAC address + user/password configuration.</FONT></P><P><FONT face="tahoma,arial,helvetica,sans-serif">I am pretty sure that such a configuration will not be feasible until Plus licenses are procured. Just want some more pointers for this kind of deployment scenario.</FONT></P> Sun, 05 Dec 2021 05:22:21 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4513265#M571458 dgaikwad 2021-12-05T05:22:21Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4516409#M571584 <P>If users use the same username+password on multiple of their "devices of their choice", that is fine and MFA will not change anything.</P> <P>If users are sharing their corporate passwords with other corporate users or non-corporate users you have major security problems that go way beyond ISE. If they will share passwords, they will share MFA codes, too.</P> <P>The only solution to stop password sharing is to not use passwords at all and go with certificates on your devices.</P> <P>Since they do not want to buy ISE licenses for BYOD, they will need to buy MDM licenses to manage their users endpoints to ensure minimum levels of security and provision certificates for authentication.</P> Fri, 10 Dec 2021 04:21:04 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4516409#M571584 thomas 2021-12-10T04:21:04Z https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4519126#M571678 <P><FONT face="trebuchet ms,geneva">Yes, that does make sense and such a recommendation has already been provided.</FONT></P><P><FONT face="trebuchet ms,geneva">I was looking if such a scenario could have been deployed earlier and if there was any other workaround.</FONT><BR /><BR /><FONT face="trebuchet ms,geneva">I think this resolves it then.</FONT></P> Wed, 15 Dec 2021 06:53:29 GMT https://community.cisco.com/t5/network-access-control/guest-access-using-dual-factor-authentication/m-p/4519126#M571678 dgaikwad 2021-12-15T06:53:29Z