Solved: ISE Authentication with TACACS+

jwillie3 · ‎01-04-2018

I was just asked by my security folks if it is possible to have ISE/TACACS+ use both RSA and Active Directory authentication.

The ask from the Security team is to have any device that uses ISE for authentication to challenge for:

- AD User ID and AD password

if this is successful, then challenge a 2nd time for:

- AD User ID and RSA token

First thing I am trying to figure out why the Security team wants to essentially go to 3-factor authentication. I initially thought I might be able to chain the auth, sort of how it is setup for Guest Access, but I am fairly certain that the network device will not play nice with that type of setup. The router/switch would essentially see the first auth request as failing???

I mentioned that it might be possible to have device access limited to Level 1 and have that be AD/RSA, then if level 15 is requested, then use AD/password. That was not acceptable.

We thought of issuing client certs to the network support staff laptops and using the certs as part of login process, but again, that was not acceptable.

The Security team wants both AD/password and AD/RSA used to login as two separate login steps. I don't even think ISE could send back three context fields. User ID/AD Password/RSA token.

Help!!!!

kthiruve · ‎01-10-2018

Here is a community site I created that explains the two factor authentication mechanism that works with ISE. Hope it helps. For T+, shell profiles and command sets are sent as part of authorization. So CWA chaining you can do for RADIUS may not be possible here.

Two Factor Authentication on ISE – 2FA on ISE

-Krishnan

View solution in original post

paul · ‎01-05-2018

I would challenge the security team asking them what security standard are they going off that says MFA isn't good enough we need to ask for a less secure authentication method in addition to MFA.

They do know that even if you do MFA only you can still do AD group checks, AD account disable checks in the authorization phase to ensure the AD account is still valid and is the correct AD groups to have access to the device?

jwillie3 · ‎01-08-2018

As part of the authorization process we are doing the AD group membership check. We are also checking if the account is in any state other than 'valid' or something like that (I don't recall the exact terminology).

Security team likes that idea, but it doesn't match their idea that during the login process the user needs to be prompted for 2 different types of info.

We mentioned that we are also doing a check that access must come from certain subnets. We do this with 802.1x. That also does not meet their requirement for multi-factor auth.

I am not sure what the exact criteria is that security is looking for. They asked if we could enhance our multi-factor authentication by adding the AD/password challenge in addition to the RSA challenge. I reported back that I do not believe this is an option but we are also doing AD membership, subnet restriction along with the OTP from RSA.

kthiruve · ‎01-10-2018

Here is a community site I created that explains the two factor authentication mechanism that works with ISE. Hope it helps. For T+, shell profiles and command sets are sent as part of authorization. So CWA chaining you can do for RADIUS may not be possible here.

Two Factor Authentication on ISE – 2FA on ISE

-Krishnan

hslai · ‎01-07-2018

You might want to read the following two references:

Why Multi-Factor and Two-Factor Authentication May Not Be the Same
SP 800-63B (esp. 4. Authenticator Assurance Levels):
- Multi-Factor OTP by itself can achieve AAL2.

If acceptable, I know some OTP product validating OTP and LDAP passwords together; e.g. Symantec VIP Enterprise Gateway can have its validation server configured in User Name – LDAP Password – Security Code mode.

I am not sure whether ISE T+ using a RADIUS token server as the ID source supports Access-Challenge so checking on that.