Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3441
Views
85
Helpful
3
Replies

Dual Factor authentication for office Wi-FI

Go to solution
nsimlai
Level 1
Level 1

‎03-01-2022 05:09 AM

Hi,

 

We are looking for dual-factor authentication for office Wi-fi. Currently, we have single-factor authentication using Certificates.

How can we implement dual-factor using Certificate and OTP using External Radius server?

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-01-2022 03:59 PM

If you're asking about how to force MFA/OTP for a wireless user prior to them connecting to the network, this is not something that is possible at this time (as far as I'm aware).

Current 802.1x protocols do not support insertion of this step and MFA/OTP flows normally assume that the user/endpoint has connectivity to the network (like with VPN). This results in a chicken/egg scenario where connectivity via 802.1x requires MFA/OTP but MFA/OTP requires connectivity.

You could potentially force a portal-based authentication that uses MFA/OTP after the successful 802.1x auth, but that would create a horrible user experience.

View solution in original post

3 Replies 3

Go to solution
Kasun Bandara
VIP
VIP

‎03-01-2022 05:33 AM - edited ‎03-01-2022 05:34 AM

This is one solution for TACACS server using cisco duo. same way should be able to optimize for radius and other requirements. 

https://community.cisco.com/t5/wireless-mobility-documents/cisco-wlc-2fa-with-duo-step-by-step/ta-p/3952024

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-01-2022 03:59 PM

If you're asking about how to force MFA/OTP for a wireless user prior to them connecting to the network, this is not something that is possible at this time (as far as I'm aware).

Current 802.1x protocols do not support insertion of this step and MFA/OTP flows normally assume that the user/endpoint has connectivity to the network (like with VPN). This results in a chicken/egg scenario where connectivity via 802.1x requires MFA/OTP but MFA/OTP requires connectivity.

You could potentially force a portal-based authentication that uses MFA/OTP after the successful 802.1x auth, but that would create a horrible user experience.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 07:12 PM

You may do certificate-based authentication - as you are already doing today.

OR you may do OTP based authentication using RADIUS proxy or any RADIUS RFC 2865-compliant token server. 

But not BOTH certicate and OTP.

See https://cs.co/ise-guides for possible integrations since you didn't mention any specific vendors.

 

Customers Also Viewed These Support Documents