09-27-2017 05:01 AM
Hi,
We are currently researching on integrating ISE with Safenet / RSA for Device Administration and two factor authentication. Below is the sample flow of what we expect to test. Can you confirm if ISE supports this type of deployment
R1 is configured for TACACS to go ISE.
Administrator to SSH on R1
1) Authenticate with AD credential
2) After user validated using AD, 2FA OTP / Passcode using Safenet Radius will happen.
Regards,
Davesh
Solved! Go to Solution.
09-28-2017 09:50 AM
That should work perfectly. Let 2FA server run the whole authentication process proxied through ISE and have just do authorization.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-27-2017 08:47 AM
Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store shows what ISE is supporting today.
If needing it supported in one single login authentication, the best I can think of is that some RADIUS OTP vendors also connecting to AD/LDAP so they would accept AD+OTP together.
09-27-2017 09:56 AM
In addition to what Hsing said I would also ask what is the point of doing the AD authentication when you have 2FA implemented? You can involve AD authorization without asking them for their credentials. So the authentication phase can simply be ISE sending the RADIUS call to Safenet. The authorization phase can be an AD group check, check to verify their AD account is still enabled, etc.
09-28-2017 02:49 AM
Hi,
Thanks for the info. I further checked and found that 2FA (RSA/Safenet etc..) shall do AD+OTP authentication and then using ISE we can perform the authorization for limiting device access privileges. The 2FA needs to be completed in a single Radius Request which might not happen with above scenario presented and would further complicate the setup.
So I believe the optiomal flow would be when Admin SSH to R1
1) R1 sends TACACS Request to ISE for validation
2) ISE checks the authentication profile to go to 2FA (RSA or Safenet) using Radius Service
3) RSA/Safenet perform the AD + OTP check (2FA)
4) Upon Access_Accept, ISE applies the authorization profiles for access restrictions.
Best Regards,
Davesh
09-28-2017 09:50 AM
That should work perfectly. Let 2FA server run the whole authentication process proxied through ISE and have just do authorization.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
02-15-2018 10:23 AM
Have tested using DUO with ISE2.3 and ACS 5.6 for network device access using 2FA. Here are the steps for your reference:
Test it out and enjoy it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide