Re: Is Cisco ISE NAC and 2FA at Windows Logon possible?

fugami1 · ‎09-27-2023

Is it possible to have both network access control on our vlans and a two factor authentication in place (ex. Cisco DUO) at windows logon? So we want to have users logon to their windows machine and at that point in time they are thrown in an isolated vlan with access only to DUO servers so they can approve Cisco DUO's 2FA challenge on their phone and complete authentication, and then ISE redirects them to whichever vlan they have access to. Is this even possible?

Speed Test https://vidmate.bid/

Vikas K · ‎10-12-2023

Yes it's possible to have 2FA along with ISE. In case of Cisco Duo, ISE integrates with Duo Authentication Proxy as External RADIUS Server. ISE sends RADIUS request to Duo Auth Proxy which does Primary authentication (Username/Password) with Active Directory or another RADIUS server. Once primary authentication is success, Duo Auth Proxy make API call to Duo Security service for Secondary authentication (Phone push for example) based on username configured on Duo as well as Active Directory (Both should match). Post successful secondary authentication, ISE sends back Access-Accept to NAD or user.

Please refer this link for detailed information, flow and config - https://www.cisco.com/c/en/us/support/docs/security/duo/217739-configure-duo-integration-with-active-di.html

-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------