Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2097
Views
5
Helpful
4
Replies

ISE Device Admin with 2FA

Go to solution
fatalXerror
Level 5
Level 5

ā€Ž08-06-2020 03:27 AM

Hi Guys, I want my ISE Device Admin to be in 2FA (AD username + passcode). I know that ISE can only authenticate to one external ID store at a time so what I am going to do is to integrate my 2FA server (since my 2FA is integrated already to AD). My question now is, which of these options should I use?

1. External RADIUS Server (under the Network Resources category)

2. RADIUS Token (under the External ID Sources) - this is the existing setup but I noticed I need to configure a username stored locally in ISE DB in which I don't want. I want to leverage the integration of my 2FA and AD.

3. RSA SecurID (under the External ID Sources)

Thanks

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to fatalXerror

ā€Ž08-06-2020 11:38 AM

The external identity source called RSA SecurID is a specific integration between ISE and RSA. Radius Token is an external server communicating through radius protocol. In this last case, ISE act as a proxy Radius and gets infos regarding authentication from another radius for example.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

ā€Ž08-06-2020 10:42 AM

Hi

 

I personally don't know the rsa solution. When using Duo, I use Radius token and replied to a previous post with same requirements (https://community.cisco.com/t5/network-access-control/tacacs-authentication-with-a-proxy-radius-and-local/td-p/4088804)

 

Doing a quick search on this forum, you can use Radius Token and external 2FA for RSA. See the following links (2nd link include an official guide from RSA):

https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-with-rsa-securid-and-ad-integration/td-p/3441295

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
fatalXerror
Level 5
Level 5
In response to Francesco Molino

ā€Ž08-06-2020 10:53 AM

Hi @Francesco Molino,

Thanks for your feedback, I'll check it out.

But I am just wondering what are the difference between those different ways to integrate RADIUS server?

Thaks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to fatalXerror

ā€Ž08-06-2020 11:38 AM

The external identity source called RSA SecurID is a specific integration between ISE and RSA. Radius Token is an external server communicating through radius protocol. In this last case, ISE act as a proxy Radius and gets infos regarding authentication from another radius for example.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

ā€Ž08-11-2020 02:45 PM

Did you look at the Cisco ISE - RSA SecurID Access Implementation Guide ?

0 Helpful
Customers Also Viewed These Support Documents