Solved: ISE 2.+ TACACS+ Device Administration with Google Authenticator 2FA

ciscobacon · ‎09-03-2017

I am currently researching a second factor implementation on multiple Cisco IOS-XE and ASA products and was hoping to be able to use TACACS+ built into ISE for authentication, but with an external TACACS+ server with PAM module installed to support Gauth as my second factor. Is this possible? I've seen screenshots of AAA logins on IOS-XE asking for "password & verification code:" in one line, which doesn't sound helpful, since I don't believe ISE will be able to parse one line of both password and authentication token. Any help is greatly appreciated!

thomas · ‎06-08-2020

No PAM support.

Only SAML.

See http://cs.co/ise-compatibility docs.

View solution in original post

hslai · ‎09-05-2017

ISE is not currently integrating directly with Google Authenticator via PAM. It might work if you are able to use a 3rd-party RADIUS server to integrate with Google Authenticator and use that in ISE as an identity store of RADIUS token server type, and pass on the whole string (password & verification code) to the 3rd-party RADIUS server, which in tun to Google Authenticator.

ciscobacon · ‎09-06-2017

Hi Hslai,

Thank you so much for your meaningful and concise answer! Since the authentication model RADIUS token servers support only PAP or EAP-GTC, which are not really an option for me atm, I was wondering if an external TACACS server might work instead. Second question for you - do you know of a way to use ISE's internal database for the password authentication and still use an external TACACS server for the gauth token authentication? Thank you!

hslai · ‎09-06-2017

ISE T+ supports PAP/ASCII, CHAP, and MS-CHAPv1 only. Please share why PAP insufficient. Even with PAP, we may change passwords in AD.

The only use case ISE T+ support different ID stores is Login Authentication and Enable Authorization Differentiation.. See previous discussion -- Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

ciscobacon · ‎09-08-2017

I am now in the middle of a lab in GNS3 for this situation - I've only made it to authenticating line vty with T+ through ISE (works so far), but am noticing the requirement of PAP for the authentication protocol. As you have asked why PAP is insufficient - It sends passwords and usernames in the clear and unless you can 100% verify every node in your network along the path is secure, this is extremely unacceptable for security standards. As it is in my case, I have ISE nodes within the same site, but our external T+ server will be separated across the WAN. Even using VPN site-to-site tunnels won't cover the separate nodes this traffic will cross within these sites, so its gives me great pause to consider such an outdated mode of authentication. I'm wondering if there's another way to protect this traffic at different points in the LAN, but I sure wish I didn't have to think about this and Cisco ISE had implemented more secure authentication protocols in the first place.

hslai · ‎09-11-2017

ISE provides point-to-point IPSec encryptions between ISE and NAD, if the NAD is capable of IPSec. See Configure ISE 2.2 IPSEC to Secure NAD (IOS) Communication

Madura Malwatte · ‎06-08-2020

Hi @hslai, I saw this thread was from 2017, but is it still the case that ISE does not currently integrate directly with Google Authenticator via PAM?

thomas · ‎06-08-2020

No PAM support.

Only SAML.

See http://cs.co/ise-compatibility docs.