Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2756
Views
2
Helpful
3
Replies

Cisco ISE 3.2 and MFA for Device admin

Go to solution
ferdie.leroux1
Level 1
Level 1

‎04-26-2023 12:05 AM

I'm trying to implement MFA for TACACS+ device administration. I integrated with NPS using a RADIUS token as an External Identity source and created an identity source sequence where the RADIUS token is 1st and the original AD authentication is 2nd. 

I increased the TACACS timeout on the device and the RADIUS token so no timeout accurs.

The MFA gets to the mobile device and the MFA works as expected except it doesn't get to the authorization part of the policy.

From a log perspective everything looks fine except for:

24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes

How do I go about fixing this? I read somewhere that the attribute value might be empty. I also don't get any clear articles or guides on how to implement MFA. 

 

0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Jamie_Hessels
Level 1
Level 1

‎04-11-2024 10:52 PM

Hey @Marcelo Morais when will it possible to use Azure AD as an identity source for device admin policy in ISE? wanting to leverage our existing Azure MFA for privileged users

0 Helpful

Go to solution
JPavonM
VIP
VIP

‎05-24-2024 06:42 AM

@ferdie.leroux1 can you share the deployment guide for NPS-EntraID connection? (not the deployment of the NPS Extension but the config piece on EntraID)

I've everything on the ISE side configure as in the DUO example from @Marcelo Morais, and ISE is setup as "Remote RADIUS Server Group" on NPS, plus NPS has "Connections to Microsoft Routing and Remote Access server" policy enabled, but something is failing between NPS and EntraID.

0 Helpful
Customers Also Viewed These Support Documents
Top