MFA for network devices; currently authenticating through Cisco ISE

snbw16 — Mon, 13 Oct 2025 12:59:08 GMT

Hello All

Currently, our admins login into network devices through their TACACS IDs local to Cisco ISE.

Admins managing Cisco ISE (WebGUI) have MFA configured. But now there is a requirement to have 2FA for network device login using TACACS.

Challenges:

1. Implementing 2FA for logging on n/w devices will have impact on resolution duration since after device timeout, admin have do perform 2FA for every device it logins

2. Under a circumstance if Cisco ISE is not able to reach 2FA server, admin will get prompt for authentication but never get push notification/ code to approve the login attempt.

Can someone please share insight onto this.

Re: MFA for network devices; currently authenticating through Cisco IS

balaji.bandi — Tue, 14 Oct 2025 06:26:08 GMT

This required planning for the deployment—make sure ISE is highly available and that devices have an alternative path to reach it.

If the ISE network is completely down, you may need to use a Local account with no MFA as the best option, or try the API (if available).

topic Re: MFA for network devices; currently authenticating through Cisco IS in Network Access Control

MFA for network devices; currently authenticating through Cisco ISE

Re: MFA for network devices; currently authenticating through Cisco IS