cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5726
Views
5
Helpful
5
Replies
Nathan Falcon
Cisco Employee

Cisco ISE TACACS+ with RSA Securid and AD integration

We'd like to control device TACACS authorization with AD Users and Groups while using RSA tokens for authentication.  Does ISE support the ability to support the combination of AD Username and RSA Token passcode when using TACACS?


ex:

1)      Login to the network device and prompted for username

2)      Username: <AD user>

3)      Password: <RSA Passcode>

          Authorize user based on assigned AD Group.


   

1 ACCEPTED SOLUTION

Accepted Solutions
Nidhi
Cisco Employee

This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and  Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

You can also do AD+OTP authentication by integrating the token server with AD

Thanks,

Nidhi

View solution in original post

5 REPLIES 5
Nidhi
Cisco Employee

This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and  Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

You can also do AD+OTP authentication by integrating the token server with AD

Thanks,

Nidhi

View solution in original post

west33637
Beginner

Hello Nathan. How does this work? ISE will need to have the RSA AM configured as an external identity source in the authentication policy. where will ISE get the AD group info of the authenticating user in order to configure authorization policies against?

Does the RSA pass AD group information to ISE for the purpose of authorization?

Hello
I want to know the answer :"Does the RSA pass AD group information to ISE for the purpose of authorization"
Because I have a problem with autorization .
Authentication pass with RSA , but Authorization fail with : "subject not found in applicable Identity store""
( Logs on RSA server says: Authentication method success)
So the question is: Does the ISE makes an AD access to verify the AD-group of the user , or does ISE uses the answer of the RSA to match the user to the AD-Group. ?

Michel

You need to turn in identity caching under your RSA definition.


Hello Paul

Great..! You directly found the solution.
In fact , this parameter "identity caching" is new. It doesn't exist with version 2.2. So doing a migration cause the problem, because it is not checked during the upgrade !.

So I resume: When the pb is : RSA Autorisation fail but RSA Authentication pass, and if you find in the autorisation step the line
   15013 Selected Identity Source - RSA SecurID
   24558 User cache is not enabled in the RSA identity store configuration - RSA SecurID
   22016 Identity sequence completed iterating the IDStores
   22056 Subject not found in the applicable identity store(s)
The solution is to enable "Identity caching": in
External id source: RSA secureID > tab Authentication Control:

Many thanks for your help !!

Content for Community-Ad