cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3440
Views
85
Helpful
3
Replies

Dual Factor authentication for office Wi-FI

nsimlai
Level 1
Level 1

Hi,

 

We are looking for dual-factor authentication for office Wi-fi. Currently, we have single-factor authentication using Certificates.

How can we implement dual-factor using Certificate and OTP using External Radius server?

 

 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

If you're asking about how to force MFA/OTP for a wireless user prior to them connecting to the network, this is not something that is possible at this time (as far as I'm aware).

Current 802.1x protocols do not support insertion of this step and MFA/OTP flows normally assume that the user/endpoint has connectivity to the network (like with VPN). This results in a chicken/egg scenario where connectivity via 802.1x requires MFA/OTP but MFA/OTP requires connectivity.

You could potentially force a portal-based authentication that uses MFA/OTP after the successful 802.1x auth, but that would create a horrible user experience.

View solution in original post

3 Replies 3

This is one solution for TACACS server using cisco duo. same way should be able to optimize for radius and other requirements. 

https://community.cisco.com/t5/wireless-mobility-documents/cisco-wlc-2fa-with-duo-step-by-step/ta-p/3952024

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Greg Gibbs
Cisco Employee
Cisco Employee

If you're asking about how to force MFA/OTP for a wireless user prior to them connecting to the network, this is not something that is possible at this time (as far as I'm aware).

Current 802.1x protocols do not support insertion of this step and MFA/OTP flows normally assume that the user/endpoint has connectivity to the network (like with VPN). This results in a chicken/egg scenario where connectivity via 802.1x requires MFA/OTP but MFA/OTP requires connectivity.

You could potentially force a portal-based authentication that uses MFA/OTP after the successful 802.1x auth, but that would create a horrible user experience.

thomas
Cisco Employee
Cisco Employee

You may do certificate-based authentication - as you are already doing today.

OR you may do OTP based authentication using RADIUS proxy or any RADIUS RFC 2865-compliant token server. 

But not BOTH certicate and OTP.

See https://cs.co/ise-guides for possible integrations since you didn't mention any specific vendors.