02-21-2018 01:15 PM
We'd like to control device TACACS authorization with AD Users and Groups while using RSA tokens for authentication. Does ISE support the ability to support the combination of AD Username and RSA Token passcode when using TACACS?
ex:
1) Login to the network device and prompted for username
2) Username: <AD user>
3) Password: <RSA Passcode>
Authorize user based on assigned AD Group.
Solved! Go to Solution.
02-21-2018 07:52 PM
This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store
You can also do AD+OTP authentication by integrating the token server with AD
Thanks,
Nidhi
02-21-2018 07:52 PM
This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store
You can also do AD+OTP authentication by integrating the token server with AD
Thanks,
Nidhi
09-26-2018 01:35 PM
Hello Nathan. How does this work? ISE will need to have the RSA AM configured as an external identity source in the authentication policy. where will ISE get the AD group info of the authenticating user in order to configure authorization policies against?
Does the RSA pass AD group information to ISE for the purpose of authorization?
11-05-2020 03:46 AM
Hello
I want to know the answer :"Does the RSA pass AD group information to ISE for the purpose of authorization"
Because I have a problem with autorization .
Authentication pass with RSA , but Authorization fail with : "subject not found in applicable Identity store""
( Logs on RSA server says: Authentication method success)
So the question is: Does the ISE makes an AD access to verify the AD-group of the user , or does ISE uses the answer of the RSA to match the user to the AD-Group. ?
Michel
11-05-2020 05:19 AM
11-06-2020 01:19 AM
Hello Paul
Great..! You directly found the solution.
In fact , this parameter "identity caching" is new. It doesn't exist with version 2.2. So doing a migration cause the problem, because it is not checked during the upgrade !.
So I resume: When the pb is : RSA Autorisation fail but RSA Authentication pass, and if you find in the autorisation step the line
15013 Selected Identity Source - RSA SecurID
24558 User cache is not enabled in the RSA identity store configuration - RSA SecurID
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s)
The solution is to enable "Identity caching": in
External id source: RSA secureID > tab Authentication Control:
Many thanks for your help !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide