Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2186
Views
0
Helpful
2
Replies

ISE 2.1 Multi Factor Authentication

Go to solution
Mooitartist
Level 1
Level 1

‎10-17-2016 10:58 AM - edited ‎03-11-2019 12:09 AM

I've been given a requirement to add multi-factor authentication to ISE. ISE doesn't appear to actually support MFA for the admin page, I say this because I can't choose a defined external radius source for authentication. As far as client authentication goes, it appears there is limited support for guest and sponsor initially but once the device is provisioned it's back to single factor. We currently provision certificates and require EAP-TLS. If I'm completely off base here let me know. Note: We use Symantec VIP for Multi Factor.

I'm brainstorming the possibility of redirecting a user to a website with SAML to provide the second factor upon successful EAP_TLS authentication. Unfortunately none of the Out of the box splash pages allow for this. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-20-2016 06:48 PM

Hi there!

One way you can accomplish dual-factor authentication in your scenario is to use EAP+CWA Chaining. This is covered in more details in the recent Cisco Live ISE sessions but the flow would be something like this:

- If Machine is doing EAP-TLS and machine certificate is valid THEN Authorization Profile will redirect the client to CWA.

- The client is then presented with the Web portal that is integrated with AD. There the client must provide the LDAP based Username/Password

- The final authorization rule would check the AD group and determine the type of access that is to be given to that client

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-20-2016 06:48 PM

Hi there!

One way you can accomplish dual-factor authentication in your scenario is to use EAP+CWA Chaining. This is covered in more details in the recent Cisco Live ISE sessions but the flow would be something like this:

- If Machine is doing EAP-TLS and machine certificate is valid THEN Authorization Profile will redirect the client to CWA.

- The client is then presented with the Web portal that is integrated with AD. There the client must provide the LDAP based Username/Password

- The final authorization rule would check the AD group and determine the type of access that is to be given to that client

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
grant.maynard
Level 4
Level 4

‎11-07-2016 03:31 PM

Is Symantec VIP a 2FA server which runs a RADIUS service and returns a Yes/No ? If it is then you can just add it as a RADIUS token server.

I can't see why you couldn't then use this as the Identity Source for guest portal.

To use this for administrative login you create "shadow" admin users (check the box for External) at Administration > System > Admin Access > Administrators > Admin Users, then set the Identity Source to be that RADIUS token server at Administration > System > Admin Access > Authentication. When the user hits the ISE admin login page, they select the token server.

HTH

0 Helpful
Customers Also Viewed These Support Documents