topic Re: Cisco ISE 3.2 and MFA for Device admin in Network Access Control

Cisco ISE 3.2 and MFA for Device admin

ferdie.leroux1 — Wed, 26 Apr 2023 07:05:27 GMT

I'm trying to implement MFA for TACACS+ device administration. I integrated with NPS using a RADIUS token as an External Identity source and created an identity source sequence where the RADIUS token is 1st and the original AD authentication is 2nd.

I increased the TACACS timeout on the device and the RADIUS token so no timeout accurs.

The MFA gets to the mobile device and the MFA works as expected except it doesn't get to the authorization part of the policy.

From a log perspective everything looks fine except for:

24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes

How do I go about fixing this? I read somewhere that the attribute value might be empty. I also don't get any clear articles or guides on how to implement MFA.

Re: Cisco ISE 3.2 and MFA for Device admin

Marcelo Morais — Sat, 29 Apr 2023 13:30:21 GMT

Hi @ferdie.leroux1 ,

as a reference try the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users.

Hope this helps !!!

Re: Cisco ISE 3.2 and MFA for Device admin

Jamie_Hessels — Fri, 12 Apr 2024 05:52:17 GMT

Hey @Marcelo Morais when will it possible to use Azure AD as an identity source for device admin policy in ISE? wanting to leverage our existing Azure MFA for privileged users

Re: Cisco ISE 3.2 and MFA for Device admin

JPavonM — Fri, 24 May 2024 13:42:12 GMT

@ferdie.leroux1 can you share the deployment guide for NPS-EntraID connection? (not the deployment of the NPS Extension but the config piece on EntraID)

I've everything on the ISE side configure as in the DUO example from @Marcelo Morais, and ISE is setup as "Remote RADIUS Server Group" on NPS, plus NPS has "Connections to Microsoft Routing and Remote Access server" policy enabled, but something is failing between NPS and EntraID.