Solved: Cisco ISE and 2FA

Stevejohnson35 · ‎10-25-2022

I work at a small company who uses ISE to authenticate and authorize remote access to various different routers in our network. We have recently added an additional server that we are using to provide MFA for these logins. Currently, I have both a radius token and an external radius server set up to handle forwarding for our tacacs and radius devices to our third party MFA server. Right now we have to include a delimiter in our password and then type in our OTP from our authenticator applications for this setup to work. I am hoping to find a way to have the pop-up asking for the otp in the cli environment instead of having to delimit and append the otp to the password string.

I'm not sure if there is something I am missing with my current setup with my policies that I can add to both the token and external radius server settings to help make this work? Another solution I was wondering about is if I can use my MFA authentication server for authentication from a device login and then use ISE ONLY for the authorization piece?

thomas · ‎11-09-2022

Steve,

One of our November ISE Webinars was ISE With Duo Integration . It sounds like Duo is not the MFA product you are using but they all basically work the same way - either with a RADIUS proxy or SAML. I suggest watching the scenario(s) below that look closest to what you are trying to do.

06:58 ISE & Duo Integration Solution Scenarios
08:45 Protect ISE Admin UI with Duo Authentication Proxy (RADIUS Proxy)
10:38 Demo: ISE Admin UI with Duo MFA
11:27 - Add Users with Active Directory Sync
11:57 - Install & Configure Duo Authentication Proxy
13:53 - Configure AD Domain Controller
14:28 - AD Groups Sync
17:33 - Protect an Application: Cisco ISE RADIUS
19:07 - ISE RADIUS Proxy configuration to Duo
20:50 - duoadmin shadow user for superadmin access
22:39 Duo Single Sign-On with SAML
25:11 Demo: Protect ISE Admin UI with Duo Single Sign-On
28:37 - Active Directory Configuration for SSO
30:58 - Protect an Application: Generic SAML Service Provider
32:18 - Configure Duo as ISE SAML Identity Provider
34:20 - Add Duo Certificate to ISE Trusted Certificates
35:19 - Add Duo SAML Metadata to ISE
35:38 - Map SAML Groups to ISE Admins
37:26 - Login to ISE with Duo SAML SSO
38:15 Protect Network Device Admin Access with ISE and Duo
38:36 Advantages of Using ISE for Device Admin Access
44:36 Demo: Network Device Admin Access (TACACS) with ISE & Duo
46:03 - Enable ISE Device Admin (TACACS) Service
46:21 - ISE Network Device Configuration
47:00 - ISE Device Admin Policy Set
48:08 - ISE TACACS Profiles & Command Sets
49:02 - Network Device TACACS Configuration
50:08 - Login to IOS CLI with Duo MFA
50:38 - ISE Device Admin (TACACS) LiveLog & Reports
53:00 Protecting Network Access with Duo
54:55 EAP Flow with ISE & Duo
57:50 Demo: Network Access with Duo
58:37 - ISE Policy Set
59:11 - Client Supplicant (Cisco Secure Client/AnyConnect NAM) Configuration with EAP-GTC
1:00:00 - Network Access Authentication with Duo
1:00:24 - Review Authentication in ISE
1:01:25 - Review Authentication in Duo
1:02:03 Protecting RA-VPN Access with Duo MFA
1:02:18 - Using Duo Auth Proxy flow
1:03:35 - Using Duo SAML flow
1:05:03 Demo: Protecting RA-VPN Access with Duo Auth Proxy
1:05:23 - ISE RA-VPN Policy Set
1:06:05 - ASA VPN Config
1:08:20 - VPN Client Connection & ISE Logs
1:09:08 Protecting ISE Web Portals Access with Duo MFA
1:09:26 - Duo Auth Proxy flow
1:10:20 - Duo SAML flow
1:13:10 Demo: ISE Web Portals Access with Duo MFA
1:14:06 - with Duo Auth Proxy
1:15:16 - with SAML
1:18:14 Duo Security Compliance Policy with Duo Device Health App
1:20:28 ISE & Duo Compliance Comparison

View solution in original post

thomas · ‎11-09-2022

Steve,

One of our November ISE Webinars was ISE With Duo Integration . It sounds like Duo is not the MFA product you are using but they all basically work the same way - either with a RADIUS proxy or SAML. I suggest watching the scenario(s) below that look closest to what you are trying to do.

06:58 ISE & Duo Integration Solution Scenarios
08:45 Protect ISE Admin UI with Duo Authentication Proxy (RADIUS Proxy)
10:38 Demo: ISE Admin UI with Duo MFA
11:27 - Add Users with Active Directory Sync
11:57 - Install & Configure Duo Authentication Proxy
13:53 - Configure AD Domain Controller
14:28 - AD Groups Sync
17:33 - Protect an Application: Cisco ISE RADIUS
19:07 - ISE RADIUS Proxy configuration to Duo
20:50 - duoadmin shadow user for superadmin access
22:39 Duo Single Sign-On with SAML
25:11 Demo: Protect ISE Admin UI with Duo Single Sign-On
28:37 - Active Directory Configuration for SSO
30:58 - Protect an Application: Generic SAML Service Provider
32:18 - Configure Duo as ISE SAML Identity Provider
34:20 - Add Duo Certificate to ISE Trusted Certificates
35:19 - Add Duo SAML Metadata to ISE
35:38 - Map SAML Groups to ISE Admins
37:26 - Login to ISE with Duo SAML SSO
38:15 Protect Network Device Admin Access with ISE and Duo
38:36 Advantages of Using ISE for Device Admin Access
44:36 Demo: Network Device Admin Access (TACACS) with ISE & Duo
46:03 - Enable ISE Device Admin (TACACS) Service
46:21 - ISE Network Device Configuration
47:00 - ISE Device Admin Policy Set
48:08 - ISE TACACS Profiles & Command Sets
49:02 - Network Device TACACS Configuration
50:08 - Login to IOS CLI with Duo MFA
50:38 - ISE Device Admin (TACACS) LiveLog & Reports
53:00 Protecting Network Access with Duo
54:55 EAP Flow with ISE & Duo
57:50 Demo: Network Access with Duo
58:37 - ISE Policy Set
59:11 - Client Supplicant (Cisco Secure Client/AnyConnect NAM) Configuration with EAP-GTC
1:00:00 - Network Access Authentication with Duo
1:00:24 - Review Authentication in ISE
1:01:25 - Review Authentication in Duo
1:02:03 Protecting RA-VPN Access with Duo MFA
1:02:18 - Using Duo Auth Proxy flow
1:03:35 - Using Duo SAML flow
1:05:03 Demo: Protecting RA-VPN Access with Duo Auth Proxy
1:05:23 - ISE RA-VPN Policy Set
1:06:05 - ASA VPN Config
1:08:20 - VPN Client Connection & ISE Logs
1:09:08 Protecting ISE Web Portals Access with Duo MFA
1:09:26 - Duo Auth Proxy flow
1:10:20 - Duo SAML flow
1:13:10 Demo: ISE Web Portals Access with Duo MFA
1:14:06 - with Duo Auth Proxy
1:15:16 - with SAML
1:18:14 Duo Security Compliance Policy with Duo Device Health App
1:20:28 ISE & Duo Compliance Comparison