Solved: 2 Factor Authentication for Administration on ASA

Jonathan Van Vuren · ‎07-08-2016

A customer has multiple ASAs set up mulit context. They would like to use 2 Factor authentication for admin access control, and have tried unsuccesfully with ACS.

Would this be possible using ISE with the Device Administration License?

From the customer for more color:

We’ve tried it with ACS, and it’s not supported that way either. I think the challenge from what I see in the logs is that there is a reauthentication that occurs every time you switch contexts. That wouldn’t work with SecurID which acts as an OTP.

thomas · ‎07-08-2016

In the User Guide for Cisco Secure Access Control System 5.8 is a section Authenticating Administrators against RSA SecurID Server which should explain how to do with with an OTP/token server such as an RSA server. See the Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.8 for Supported External Identity Stores.

ISE has the same capability. Please read the Cisco Identity Services Engine Administrator Guide, Release 2.1 section for Administrative Access to Cisco ISE and specifically Administrative Access to Cisco ISE Using an External Identity Store.

View solution in original post

thomas · ‎07-08-2016

In the User Guide for Cisco Secure Access Control System 5.8 is a section Authenticating Administrators against RSA SecurID Server which should explain how to do with with an OTP/token server such as an RSA server. See the Supported and Interoperable Devices and Software for Cisco Secure Access Control System 5.8 for Supported External Identity Stores.

ISE has the same capability. Please read the Cisco Identity Services Engine Administrator Guide, Release 2.1 section for Administrative Access to Cisco ISE and specifically Administrative Access to Cisco ISE Using an External Identity Store.

vibobrov · ‎07-08-2016

Starting with version 5.5, ACS has the ability to cache the passcode for up to 5 minutes without going back to the RSA server. It will introduce a security hole, but will give you the ability to switch contexts without re-prompts, at least for 5 minutes.

ISE does not have this feature yet.