cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1363
Views
10
Helpful
6
Replies

Guest access using dual factor authentication

dgaikwad
Contributor
Contributor

Hi Experts,

Is there anyway that the guest access can be configured using a dual factor authentication?
Or MAB based authentication using dual factor authentication?
Is dual factor authentication possible using the base licenses?

Any pointers appreciated.

1 Accepted Solution

Accepted Solutions

If users use the same username+password on multiple of their "devices of their choice", that is fine and MFA will not change anything.

If users are sharing their corporate passwords with other corporate users or non-corporate users you have major security problems that go way beyond ISE. If they will share passwords, they will share MFA codes, too.

The only solution to stop password sharing is to not use passwords at all and go with certificates on your devices.

Since they do not want to buy ISE licenses for BYOD, they will need to buy MDM licenses to manage their users endpoints to ensure minimum levels of security and provision certificates for authentication.

View solution in original post

6 Replies 6

balaji.bandi
VIP Guru VIP Guru
VIP Guru

Is there anyway that the guest access can be configured using a dual factor authentication?

 - what is the use case here, Guest itself different user and it required different access to go to internet, guest do not have any Local resource access, but with SMS can be possible you need integrate with your Portal.


Or MAB based authentication using dual factor authentication?

 - what devices these are ?  smart phones ? or dumb devices can not be input any data like medical devices or industrial devices.


Is dual factor authentication possible using the base licenses?

 -  Look at below what feature support each License : (ISE License Model and Features)

 

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html#7Licensemanagement

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

- what is the use case here, Guest itself different user and it required different access to go to internet, guest do not have any Local resource access, but with SMS can be possible you need integrate with your Portal.
A: These are some of the devices that the internal users or the corporate users bring and would need access to internal network.

- what devices these are ?  smart phones ? or dumb devices can not be input any data like medical devices or industrial devices.
A: Laptops, smart phones and tablets, connecting to the wireless network, where in the users use their own machines to work and access the company network and its resources. Kind of BYOD.

-  Look at below what feature support each License : (ISE License Model and Features
A: Seems that there would be a need to upgrade the license for the feature that we are looking for.

You are not describing a Guest scenario. "Guests" should never be required to use MFA since that is too much effort for the guest and potential support overhead for you.

Internal / corporate users bringing in devices for access to the internal corporate network is considered BYOD and are generally managed with MDM software to ensure they are 1) secure and 2) provisioned with network access profiles (SSIDs, certificates, etc.) for secure connections. You don't do this for Guests with open/unsecured Guest networks.

 

See https://cs.co/ise-licensing for ISE Licensing scenarios.

Basic authentication with MFA uses an ISE Base or Essentials. MDM would be Apex/Premier licensing.

 

Here is the scenario, currently only base licenses are available for use and not in position to procure new ilcensing for the advance use cases.
The other thing is that the company has a policy of allowing users to allow access to network using devices of their choice, using the AD credentials.
Cannot using profiling or BYOD, because of the license upgrade involved. Or even cannot certificate authentication, as CA infrastructure is not available and setup will take quite a time.

Now, there have been incidents of password sharing, thus to curb this and allow only devices of the users to login thinking of MFA.
Or somehow use MAC address + user/password configuration.

I am pretty sure that such a configuration will not be feasible until Plus licenses are procured. Just want some more pointers for this kind of deployment scenario.

If users use the same username+password on multiple of their "devices of their choice", that is fine and MFA will not change anything.

If users are sharing their corporate passwords with other corporate users or non-corporate users you have major security problems that go way beyond ISE. If they will share passwords, they will share MFA codes, too.

The only solution to stop password sharing is to not use passwords at all and go with certificates on your devices.

Since they do not want to buy ISE licenses for BYOD, they will need to buy MDM licenses to manage their users endpoints to ensure minimum levels of security and provision certificates for authentication.

Yes, that does make sense and such a recommendation has already been provided.

I was looking if such a scenario could have been deployed earlier and if there was any other workaround.

I think this resolves it then.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers