This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi Guys, I want my ISE Device Admin to be in 2FA (AD username + passcode). I know that ISE can only authenticate to one external ID store at a time so what I am going to do is to integrate my 2FA server (since my 2FA is integrated already to AD). My question now is, which of these options should I use?
1. External RADIUS Server (under the Network Resources category)
2. RADIUS Token (under the External ID Sources) - this is the existing setup but I noticed I need to configure a username stored locally in ISE DB in which I don't want. I want to leverage the integration of my 2FA and AD.
3. RSA SecurID (under the External ID Sources)
Solved! Go to Solution.
I personally don't know the rsa solution. When using Duo, I use Radius token and replied to a previous post with same requirements (https://community.cisco.com/t5/network-access-control/tacacs-authentication-with-a-proxy-radius-and-local/td-p/4088804)
Doing a quick search on this forum, you can use Radius Token and external 2FA for RSA. See the following links (2nd link include an official guide from RSA):
Thanks for your feedback, I'll check it out.
But I am just wondering what are the difference between those different ways to integrate RADIUS server?