Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6081
Views
6
Helpful
3
Replies

ISE as Two Factor Authentication Tool?

Go to solution
mweintraub
Level 1
Level 1

‎03-12-2018 11:38 AM

Can ISE be configured to create a two-factor authentication protocol without the use of an external identity source like an RSA token? Or at least can it be configured to work with other Cisco products in a way that acts as two-factor authentication like in conjunction with Anyconnect?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to peter.matuska1

‎03-13-2018 07:20 AM

The chaining options are not true MFA.  MFA typically refers to multiple factors (such as something you have, something you know, something you are) being used for a specific identity.  The chaining options are separate, discreet auth events, but combined together to provide a single access policy decision.  This is similar to the ASA double authentication feature.  It is not MFA in pure sense.  That said, you need to decide what is the outcome you are trying to achieve.

We do not have any special integration with DUO, although I have received reports of successful integration with ISE.  DUO is more of a true MFA type function which can work outside ISE, but may have the needed hooks via RADIUS, LDAP, or other integration into web auth flow.

View solution in original post

3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎03-12-2018 01:57 PM

Suggest review this session from Cisco Live 2017: On-Demand Library - Cisco Live Global Events  (see Reference presentation).

Specific OTP, that is something requires integration with external RSA/RADIUS-based token server, as ISE is not a OTP server.  Some examples that may address the customer goal (and not all technically qualify as pure MFA) include EAP Chaining, CWA Chaining, EZC Chaining, Machine Access Restrictions (MAR).  Some methods are NAD based (for example, ASA can perform double auth), or are client based (for example, biometric reader or PIN to unluck credentials/certificate).  The session I cite above also gets into the options to handle the device + user auth, which is not MFA, but multiple identity auth.

Craig

0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1
In response to Craig Hyps

‎03-13-2018 05:27 AM

so it is not a problem to implement MFA (lets say DUO) with dot1x for user auth? do I need to use some xy chaining? thank you

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to peter.matuska1

‎03-13-2018 07:20 AM

The chaining options are not true MFA.  MFA typically refers to multiple factors (such as something you have, something you know, something you are) being used for a specific identity.  The chaining options are separate, discreet auth events, but combined together to provide a single access policy decision.  This is similar to the ASA double authentication feature.  It is not MFA in pure sense.  That said, you need to decide what is the outcome you are trying to achieve.

We do not have any special integration with DUO, although I have received reports of successful integration with ISE.  DUO is more of a true MFA type function which can work outside ISE, but may have the needed hooks via RADIUS, LDAP, or other integration into web auth flow.

Customers Also Viewed These Support Documents