cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1300
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

TACACS+ support for 2-Factor Authentication

Hello,

I have received several recent requests for 2FA with TACACS support in ISE 2.0, with some customers indicating they have been told by other customers that "it works".  Having looked through the documentation, I have not seen anything to indicate we support it.  Can anyone provide details as to when it will be supported, or if it already is - how it is supported?

I know this is something we have done for a long time in both ACS and ISE for network access using RADIUS.

I can only locate the link to the Pragma Systems announcement and solution from CLUS 2015, but that appears to be certificate based and rely on their assistance and some features in both the terminal program and their use of OCSP to make this work.  How about for RSA tokens, OTPs, certificates, etc?  Any plans there?

Thank you!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

2 REPLIES 2
Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

In case of certificates or pubkey for SSH, then the authentication will be local. However, it's possible to continue with T+ EXEC authorization, command authorization, and accounting, depending on the network device T+ implementation.