cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

539
Views
5
Helpful
4
Replies
Highlighted
Participant

ISE Device Admin with 2FA

Hi Guys, I want my ISE Device Admin to be in 2FA (AD username + passcode). I know that ISE can only authenticate to one external ID store at a time so what I am going to do is to integrate my 2FA server (since my 2FA is integrated already to AD). My question now is, which of these options should I use?

1. External RADIUS Server (under the Network Resources category)

2. RADIUS Token (under the External ID Sources) - this is the existing setup but I noticed I need to configure a username stored locally in ISE DB in which I don't want. I want to leverage the integration of my 2FA and AD.

3. RSA SecurID (under the External ID Sources)

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

The external identity source called RSA SecurID is a specific integration between ISE and RSA. Radius Token is an external server communicating through radius protocol. In this last case, ISE act as a proxy Radius and gets infos regarding authentication from another radius for example.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Hi

 

I personally don't know the rsa solution. When using Duo, I use Radius token and replied to a previous post with same requirements (https://community.cisco.com/t5/network-access-control/tacacs-authentication-with-a-proxy-radius-and-local/td-p/4088804)

 

Doing a quick search on this forum, you can use Radius Token and external 2FA for RSA. See the following links (2nd link include an official guide from RSA):

https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-with-rsa-securid-and-ad-integration/td-p/3441295

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hi @Francesco Molino,

Thanks for your feedback, I'll check it out.

But I am just wondering what are the difference between those different ways to integrate RADIUS server?

Thaks

Highlighted

The external identity source called RSA SecurID is a specific integration between ISE and RSA. Radius Token is an external server communicating through radius protocol. In this last case, ISE act as a proxy Radius and gets infos regarding authentication from another radius for example.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted
Cisco Employee