cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1256
Views
4
Helpful
4
Replies
Cisco Employee

ISE - External Identity Store - Two Factor Request Passes Token and Password

ISE experts,

My customer is using ISE for TACACS and would like to enable two factor authentication.

They currently have their two factor authentication server configured as an external identity store which works as expected.  Problem is, when ISE sends the request to the RADIUS token server for authentication, it sends the AD username/password along with the token.  If an admin with access to the RADIUS token server runs a debug, they can see the user’s active directory password which they want to avoid.

Question – Is it possible for ISE to separate the authentication request?  Something like this:

  1. Supplicant sends credentials to ISE to authenticate against AD.
  2. If AD credentials pass, supplicant sends the token to ISE to authenticate against RADIUS token server.
  3. If pass, proceed to authorization policies.

Or alternative:

  1. Supplicant sends AD credentials and token to ISE for authentication.
  2. ISE authenticates credentials against AD and sends the token only to the RADIUS token server.
  3. If it passes, then proceed to authorization policies.

Thanks for your help!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE - External Identity Store - Two Factor Request Passes Token and Password

Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.

What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.

4 REPLIES 4
Cisco Employee

Re: ISE - External Identity Store - Two Factor Request Passes Token and Password

Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.

What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.

Cisco Employee

Re: ISE - External Identity Store - Two Factor Request Passes Token and Password

Also it is common to use different ID stores for login and enable, by using the TACACS dictionary.

Please see that is an option for your customers.

Cisco Employee

Re: ISE - External Identity Store - Two Factor Request Passes Token and Password

Thanks for getting back to me.  If we use different ID stores for login and enable, the problem still exist if the customer chooses two factor for enable right?

Cisco Employee

Re: ISE - External Identity Store - Two Factor Request Passes Token and Password

Yep, if customers choose it that way.

IMHO It's essential two factors with one ID store for login and another for enable so customers need not send AD credentials to OTP. Anyhow, it's up to the customers.