Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1353
Views
2
Helpful
6
Replies

Cisco ISE configuration for dual authentication

Romanpreet Singh
Level 1
Level 1

‎12-14-2023 07:44 AM

Hello all,

I have a setup where ISE is to be configured to authenticate users to login on network devices (router/switch etc). We need the ISE to perform dual authentication of the user, means username/password (from AD)  and user certificate (NOT machine certificate). Is it possible in ISE then how? (Please no option to use external MFA resource)

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎12-14-2023 08:26 AM

You can not make this work using only aaa auth login of vty line in ISE as I know.

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎12-14-2023 09:07 AM

Why would you want to do both username/password and certificate authentication? imo it would be enough to use the certificates authentication as that will provide a robust secure authentication method. If you want to add extra security on that, you can integrate ISE with Duo or another 2FA provide, in that case before the users are allowed to the devices they have to pass both certificate and 2FA authentication.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎12-14-2023 09:11 AM

The dot1x allow EAP which can make connect between user and ISE' here he access device via telnet/ssh and vty dont have capability to forward eap between user and ISE.

He can use ISE tacacs for command which give him second protection (not auth)  and he can use access-class.

MHM

0 Helpful

Romanpreet Singh
Level 1
Level 1
In response to Aref Alsouqi

‎12-14-2023 10:39 AM

We are getting away from existing 2FA solution, so to replace that I'm looking for dual authentication option to access network devices on SSH. Do you have any solution to offer other than external 2FA ?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎12-14-2023 11:11 AM

There was some discussion on this community interesting one - check below (not sure either it was success  ?)

https://community.cisco.com/t5/network-security/cisco-ios-mfa-ssh-certificate-authentication-radius/td-p/4283746

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World
VIP
VIP

‎12-14-2023 11:26 AM

That good idea' using internal CA' make admin get cert. Signed by internal CA then make SW or Router revoke Cert. With internal CA.

It work with command @balaji.bandi  provides.

MHM

0 Helpful
Customers Also Viewed These Support Documents