Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
2
Replies

Creating Access-Challenge Profile in Cisco ISE

Gregor Geldhauser
Level 1
Level 1

‎05-24-2018 05:21 AM - edited ‎02-21-2020 10:56 AM

Hello All,

hope someone can help me with this.

For an 3rd Party Application I need to send back an Access_Challenge as Access Type in Cisco ISE.

 

We're using Cisco ISE to verify source IP as one Factor, if the IP is not in our list, the result should be Access-Challenge and the application is taking over and checking for the Token Response.

 

Flow:

Login Page asking for Username / Password

If Username / Password is correct and IP is in our List (checked by ISE) --> Accept

If Username / Password is correct and IP is not in our List (checked by ISE) --> Challenge --> Awaiting Token Response (Token checked by Application itself)

 

Info from Vendor:

====

As per that FAQ, the responce which we send complies to RFC 2865 standards. If a Access-Challenge is found, the appliance page prompts for the code and sends the inputback to the RADIUS server. It then waits for Access-Accept.

====

 

Sadly I can only choose from Access_Accept or Access_Deny.

Is there any way to create such an additional AccessType?

I know there was a similar question in 2014, but it hasn't been answered yet.

We're using Cisco ISE 2.1

 

Thanks

Gregor

Labels:
0 Helpful
2 Replies 2

RichardAtkin
Level 3
Level 3

‎05-25-2018 01:37 AM

Access-Challenge isn't something you'd normally configure yourself as it forms part of a normal EAP/RADIUS exchange.

Can you give us some more context about what it is you're doing (what's the product and what are you trying to get it to do at a high level) and we might be able to come up with a better answer for you.

Reading between the lines a little, it seems you have a RADIUS token server but you only want to bother with the token part if the source IP comes from an IP that's not in your trusted list?
You also mention a login page, does this imply something like an SSL VPN portal on an ASA?

Whereabouts in the Policy are you splitting up those two use cases? I can't say I've ever tried this and I'm not sure it'll work, but have you tried doing it at the authentication stage in the policy?

If source IP = unknown > RADIUS Token Server Authentication
If source IP = known > Some other (none-token) Authentication

Then do Authz rules as needs be?
0 Helpful

Gregor Geldhauser
Level 1
Level 1
In response to RichardAtkin

‎05-25-2018 02:15 AM

Hello Richard,

thanks for your reply.

 

This solution is for a product called Bomgar.

By default we have 2-factor authentication activated

- Username / Password

- Token

But for some companys we'vr intruduced using the source IP as one factor to get rid of the token here. (tokens need to be user bound, but these companys have servicedesks and this would mean a lot of tokens)

 There we have

- Username / Password

- IP

Sadly Bomgar isn't able to check the IP Address as one factor by himself.

So we created a rule that Bomgar has two AAA instances to ask.

1st Cisco ISE to check for the IP.

If the IP is correct --> AccessAccept

If the IP is unknows --> AccessDeny

2nd Bomgar itself, which is then checking for the token response.

 

At the current state it's working with some side effects.

If a user is logging in coming from a known IP, everything works fine.

If a user is logging in from a unknown IP, he will get an deny from ISE, this means also an deny on the Bomgar loginpage. After that he's entering the credentials and the token response again and it's working since now it's authenticated by Bomgar itself.

 

Bomgar is telling us if we would send a Access-Challenge back instead of an deny we could create a popup with "token response needed".

 

Regards,

Gregor

0 Helpful
Customers Also Viewed These Support Documents