cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6526
Views
3
Helpful
7
Replies

ISE 2.+ TACACS+ Device Administration with Google Authenticator 2FA

ciscobacon
Level 1
Level 1

I am currently researching a second factor implementation on multiple Cisco IOS-XE and ASA products and was hoping to be able to use TACACS+ built into ISE for authentication, but with an external TACACS+ server with PAM module installed to support Gauth as my second factor.  Is this possible? I've seen screenshots of AAA logins on IOS-XE asking for "password & verification code:" in one line, which doesn't sound helpful, since I don't believe ISE will be able to parse one line of both password and authentication token.  Any help is greatly appreciated!

1 Accepted Solution

Accepted Solutions

No PAM support.

Only SAML.

See http://cs.co/ise-compatibility docs.

View solution in original post

7 Replies 7

hslai
Cisco Employee
Cisco Employee

ISE is not currently integrating directly with Google Authenticator via PAM. It might work if you are able to use a 3rd-party RADIUS server to integrate with Google Authenticator and use that in ISE as an identity store of RADIUS token server type, and pass on the whole string (password & verification code) to the 3rd-party RADIUS server, which in tun to Google Authenticator.

Hi Hslai,

    Thank you so much for your meaningful and concise answer!  Since the authentication model RADIUS token servers support only PAP or EAP-GTC, which are not really an option for me atm, I was wondering if an external TACACS server might work instead.  Second question for you - do you know of a way to use ISE's internal database for the password authentication and still use an external TACACS server for the gauth token authentication?  Thank you!

ISE T+ supports PAP/ASCII, CHAP, and MS-CHAPv1 only. Please share why PAP insufficient. Even with PAP, we may change passwords in AD.

The only use case ISE T+ support different ID stores is Login Authentication and Enable Authorization Differentiation.. See previous discussion -- Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

I am now in the middle of a lab in GNS3 for this situation - I've only made it to authenticating line vty with T+ through ISE (works so far), but am noticing the requirement of PAP for the authentication protocol.  As you have asked why PAP is insufficient - It sends passwords and usernames in the clear and unless you can 100% verify every node in your network along the path is secure, this is extremely unacceptable for security standards.  As it is in my case, I have ISE nodes within the same site, but our external T+ server will be separated across the WAN.  Even using VPN site-to-site tunnels won't cover the separate nodes this traffic will cross within these sites, so its gives me great pause to consider such an outdated mode of authentication. I'm wondering if there's another way to protect this traffic at different points in the LAN, but I sure wish I didn't have to think about this and Cisco ISE had implemented more secure authentication protocols in the first place.

ISE provides point-to-point IPSec encryptions between ISE and NAD, if the NAD is capable of IPSec. See Configure ISE 2.2 IPSEC to Secure NAD (IOS) Communication

Hi @hslai, I saw this thread was from 2017, but is it still the case that ISE does not currently integrate directly with Google Authenticator via PAM?

No PAM support.

Only SAML.

See http://cs.co/ise-compatibility docs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: