Solved: 2FA for ISE Administration Access

biswajit.pradhan · ‎09-24-2020

We want to have two factor for ISE administration with authorization based on AD group membership. Is there any config guide available?

thomas · ‎09-24-2020

You may still use Active Directory for the identity store however, due to the 2FA/MFA requirement, it will not be ISE that does the authentication with AD. Instead, ISE will do a RADIUS proxy to the 2FA/MFA vendor (Cisco Duo?) and they will perform the initial AD Authentication followed by the second factor push/token/whatever.

See https://cs.co/ise-guides > Cisco Duo Security for guides and videos.

View solution in original post

marce1000 · ‎09-24-2020

- Check this thread :

https://community.cisco.com/t5/network-access-control/ise-admin-login-2fa/m-p/3876233

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

biswajit.pradhan · ‎09-24-2020

Does this means, if I'm having any external radius for authentication then can't have AD for authorization?

thomas · ‎09-24-2020

You may still use Active Directory for the identity store however, due to the 2FA/MFA requirement, it will not be ISE that does the authentication with AD. Instead, ISE will do a RADIUS proxy to the 2FA/MFA vendor (Cisco Duo?) and they will perform the initial AD Authentication followed by the second factor push/token/whatever.

See https://cs.co/ise-guides > Cisco Duo Security for guides and videos.

balaji.bandi · ‎09-24-2020

how about below guide :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01110.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help