ISE 1.3 GUI Portal RSA 2 Factor Authentication

bgajadar · ‎08-26-2016

Hello

My customer wants to use RSA 2 factor authentication to authenticate into ISE admin portal. I have imported the sdconf.rec file already and change authentication to RSA SecurID under admin access. When I go under an admin group I am not able to see any external group to specify.

When I tried to authenticate an AD user with RSA pin it is not working.

Thanks

hslai · ‎08-26-2016

Administrative Access to Cisco ISE Using an External Identity Store says,

External Authentication and Internal Authorization—The administrator’s authentication credentials come from the external identity source, and authorization and administrator role assignment take place using the local Cisco ISE database. This model is used for RSA SecurID authentication. This method requires you to configure the same username in both the external identity store and the local Cisco ISE database.

bgajadar · ‎08-26-2016

Thanks for the reply but couple of questions:

1. Not sure I understand "Use another ISE to simulate this radius token" what if I only have one ISE server? What are the configuration options?

2. Am I not allowed to use RSA SecurID instead of Radius Token?

3. Do I need to create every AD username inside ISE internal DB that wants to use RSA to authenticate the portal?

hslai · ‎08-26-2016

On 1, I do not have a RSA SecurID server, so I used another ISE to simulate.

On 2, YES!

On 3, you would need to create the same set of the usernames for the the users allowed to use RSA SecurID for authentication to ISE admin portal.