Solved: Cisco ISE and RSA ID packet flow

AIN UL BADAR · ‎12-07-2021

Hello

I'm in the process of integrating Cisco ISE and RSA Token Server. I'll need to allow Firewall ports in this ISE Distributed Deployment. The question is, does authentications for RSA Tokens come from a PSN or from a PAN towards the RSA Server?

Thank you

Greg Gibbs · ‎12-07-2021

This depends on what MFA use case(s) you are implementing. If you are only using MFA for user flows like Portals, these are handled by the PSNs. If you are using MFA for login to the Admin GUI (from any of the nodes), then all nodes would need connectivity.

View solution in original post

balaji.bandi · ‎12-07-2021

check below flows : (Hope this helps you understand)

https://www.grandmetric.com/2017/03/31/vpn-remote-access-with-multi-factor-authentication-experience-case-study/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎12-07-2021

This depends on what MFA use case(s) you are implementing. If you are only using MFA for user flows like Portals, these are handled by the PSNs. If you are using MFA for login to the Admin GUI (from any of the nodes), then all nodes would need connectivity.

AIN UL BADAR · ‎12-08-2021

Thank you Greg. It makes sense. My clients are authenticating with regular 802.1x, so it means PSNs initiate/relay the authentication requests back to RSA server.