Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7801
Views
6
Helpful
4
Replies

Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

Go to solution
data-dynamic
Level 1
Level 1

‎08-30-2017 01:27 AM

Hello everybody ,

My customer would like the following scenario for Device Administration (TACAS):

Authentication is to take place via the RSA SecureID server (user name and RSA passcode).

The authorization is to be carried out via the ISE User Identity Store.

(User name and password or only the password)

At the moment you can register with user name and RSA passcode

And for an ENABLE on the network component will be renewed

the RSA passcode.

Here, however, the password from the ISE User Identity Store is to be queried.

Is there a suitable authorization policy to implement this scenario?

Geetings Mario

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-30-2017 08:56 AM

I think you are asking about this feature -- Login Authentication and Enable Authorization Differentiation.

Given the usernames are the same in RSA and Internal Users, we may have the following:

Authentication Policy

Enable Password : If TACACS:Service EQUALS Enable Allow Protocols : Default Device Admin   and

Default use: Internal Users

Default Rule (if no match) : Allow Protocols : Default Device Admin   and use: RSA

View solution in original post

4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-30-2017 08:56 AM

I think you are asking about this feature -- Login Authentication and Enable Authorization Differentiation.

Given the usernames are the same in RSA and Internal Users, we may have the following:

Authentication Policy

Enable Password : If TACACS:Service EQUALS Enable Allow Protocols : Default Device Admin   and

Default use: Internal Users

Default Rule (if no match) : Allow Protocols : Default Device Admin   and use: RSA

Go to solution
data-dynamic
Level 1
Level 1
In response to hslai

‎08-31-2017 01:41 AM

Hello hslai,

Thanks for the answer.

I will test it and report back with the results.

Greeting Mario

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎08-30-2017 04:56 PM

Mario,

Authorization policy is meant to send suitable privileges for network admins that includes TACACS+ profile and command sets.

In authorization policy you can also verify it the users are part of a certain group as in the case of AD.

Authentication policy is what you need to verify credentials.

If you need to authenticate different TACACS+ service(login vs enable), you can do it as Hsing pointed out above.

Hope it clarifies.

Thanks

Krishnan

Go to solution
data-dynamic
Level 1
Level 1
In response to kthiruve

‎08-31-2017 01:41 AM

Hello Krishnan ,

Thanks for the answer.

Greeting Mario

0 Helpful
Customers Also Viewed These Support Documents