cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1314
Views
0
Helpful
2
Replies
Cisco Employee

TACACS+ support for 2-Factor Authentication

Hello,

I have received several recent requests for 2FA with TACACS support in ISE 2.0, with some customers indicating they have been told by other customers that "it works".  Having looked through the documentation, I have not seen anything to indicate we support it.  Can anyone provide details as to when it will be supported, or if it already is - how it is supported?

I know this is something we have done for a long time in both ACS and ISE for network access using RADIUS.

I can only locate the link to the Pragma Systems announcement and solution from CLUS 2015, but that appears to be certificate based and rely on their assistance and some features in both the terminal program and their use of OCSP to make this work.  How about for RSA tokens, OTPs, certificates, etc?  Any plans there?

Thank you!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

2 REPLIES 2
Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

Cisco Employee

Re: TACACS+ support for 2-Factor Authentication

In case of certificates or pubkey for SSH, then the authentication will be local. However, it's possible to continue with T+ EXEC authorization, command authorization, and accounting, depending on the network device T+ implementation.