Solved: Cisco ISE 3.2 and MFA for Device admin

ferdie.leroux1 · ‎04-26-2023

I'm trying to implement MFA for TACACS+ device administration. I integrated with NPS using a RADIUS token as an External Identity source and created an identity source sequence where the RADIUS token is 1st and the original AD authentication is 2nd.

I increased the TACACS timeout on the device and the RADIUS token so no timeout accurs.

The MFA gets to the mobile device and the MFA works as expected except it doesn't get to the authorization part of the policy.

From a log perspective everything looks fine except for:

24100 Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes

How do I go about fixing this? I read somewhere that the attribute value might be empty. I also don't get any clear articles or guides on how to implement MFA.

Marcelo Morais · ‎04-29-2023

Hi @ferdie.leroux1 ,

as a reference try the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users.

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎04-29-2023

Hi @ferdie.leroux1 ,

as a reference try the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users.

Hope this helps !!!

Jamie_Hessels · ‎04-11-2024

Hey @Marcelo Morais when will it possible to use Azure AD as an identity source for device admin policy in ISE? wanting to leverage our existing Azure MFA for privileged users

JPavonM · ‎05-24-2024

@ferdie.leroux1 can you share the deployment guide for NPS-EntraID connection? (not the deployment of the NPS Extension but the config piece on EntraID)

I've everything on the ISE side configure as in the DUO example from @Marcelo Morais, and ISE is setup as "Remote RADIUS Server Group" on NPS, plus NPS has "Connections to Microsoft Routing and Remote Access server" policy enabled, but something is failing between NPS and EntraID.