cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2544
Views
0
Helpful
5
Replies
Highlighted
Beginner

ACS 5.2 TACACS+ and two factor authentication?

I am trying to wrap my head around this topic and failing.  I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?

More info:

Users from unconnected AD domains will be connecting to the routers and switches.

There is a certificate server available to generate certificates.

SSHv2 is the current login protocol.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

ACS 5.2 TACACS+ and two factor authentication?

Without  RSA, I don't see a way to accomplish this.

With tacacs all you can have

username:xxxxxx

password:xxxxxx

ciscoasa>enable

password:xxxxxx

above you are using 2 password login and enable.

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

ACS 5.2 TACACS+ and two factor authentication?

Without  RSA, I don't see a way to accomplish this.

With tacacs all you can have

username:xxxxxx

password:xxxxxx

ciscoasa>enable

password:xxxxxx

above you are using 2 password login and enable.

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal

View solution in original post

Highlighted
Beginner

ACS 5.2 TACACS+ and two factor authentication?

That is what I was coming up with, but I was hopeful someone would say "you can do this...".

I see that I can setup more than one database to authenticate against and I can use certificates...but Cisco's TACACS stops when it gets the first OK (like an access list does), so if I use a certificate it will not prompt for a username and password if it finds the certificate first and vice-versa.

Highlighted
Cisco Employee

ACS 5.2 TACACS+ and two factor authentication?

Sorry to tell you the true story

Could you please explain what is your end goal? What all devices are involved in your setup and what kind of authentication is this?

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal
Highlighted
Beginner

Re: ACS 5.2 TACACS+ and two factor authentication?

The IRS demands two factor authentication for any system which touches specific kinds of data, such as social security numbers.  Just routers and switches.   I was hoping to do with without spending money - but it appears I am out of luck on that front.

      

I will keep this thread open for a bit just in case someone else has any ideas, otherwise I will make your as the correct answer.

Highlighted
Cisco Employee

Re: ACS 5.2 TACACS+ and two factor authentication?

sure

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal