05-24-2018 05:21 AM - edited 02-21-2020 10:56 AM
Hello All,
hope someone can help me with this.
For an 3rd Party Application I need to send back an Access_Challenge as Access Type in Cisco ISE.
We're using Cisco ISE to verify source IP as one Factor, if the IP is not in our list, the result should be Access-Challenge and the application is taking over and checking for the Token Response.
Flow:
Login Page asking for Username / Password
If Username / Password is correct and IP is in our List (checked by ISE) --> Accept
If Username / Password is correct and IP is not in our List (checked by ISE) --> Challenge --> Awaiting Token Response (Token checked by Application itself)
Info from Vendor:
====
As per that FAQ, the responce which we send complies to RFC 2865 standards. If a Access-Challenge is found, the appliance page prompts for the code and sends the inputback to the RADIUS server. It then waits for Access-Accept.
====
Sadly I can only choose from Access_Accept or Access_Deny.
Is there any way to create such an additional AccessType?
I know there was a similar question in 2014, but it hasn't been answered yet.
We're using Cisco ISE 2.1
Thanks
Gregor
05-25-2018 01:37 AM
05-25-2018 02:15 AM
Hello Richard,
thanks for your reply.
This solution is for a product called Bomgar.
By default we have 2-factor authentication activated
- Username / Password
- Token
But for some companys we'vr intruduced using the source IP as one factor to get rid of the token here. (tokens need to be user bound, but these companys have servicedesks and this would mean a lot of tokens)
There we have
- Username / Password
- IP
Sadly Bomgar isn't able to check the IP Address as one factor by himself.
So we created a rule that Bomgar has two AAA instances to ask.
1st Cisco ISE to check for the IP.
If the IP is correct --> AccessAccept
If the IP is unknows --> AccessDeny
2nd Bomgar itself, which is then checking for the token response.
At the current state it's working with some side effects.
If a user is logging in coming from a known IP, everything works fine.
If a user is logging in from a unknown IP, he will get an deny from ISE, this means also an deny on the Bomgar loginpage. After that he's entering the credentials and the token response again and it's working since now it's authenticated by Bomgar itself.
Bomgar is telling us if we would send a Access-Challenge back instead of an deny we could create a popup with "token response needed".
Regards,
Gregor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide