cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2116
Views
4
Helpful
4
Replies

ISE - External Identity Store - Two Factor Request Passes Token and Password

Phi Yim
Cisco Employee
Cisco Employee

ISE experts,

My customer is using ISE for TACACS and would like to enable two factor authentication.

They currently have their two factor authentication server configured as an external identity store which works as expected.  Problem is, when ISE sends the request to the RADIUS token server for authentication, it sends the AD username/password along with the token.  If an admin with access to the RADIUS token server runs a debug, they can see the user’s active directory password which they want to avoid.

Question – Is it possible for ISE to separate the authentication request?  Something like this:

  1. Supplicant sends credentials to ISE to authenticate against AD.
  2. If AD credentials pass, supplicant sends the token to ISE to authenticate against RADIUS token server.
  3. If pass, proceed to authorization policies.

Or alternative:

  1. Supplicant sends AD credentials and token to ISE for authentication.
  2. ISE authenticates credentials against AD and sends the token only to the RADIUS token server.
  3. If it passes, then proceed to authorization policies.

Thanks for your help!

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.

What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.

What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.

hslai
Cisco Employee
Cisco Employee

Also it is common to use different ID stores for login and enable, by using the TACACS dictionary.

Please see that is an option for your customers.

Phi Yim
Cisco Employee
Cisco Employee

Thanks for getting back to me.  If we use different ID stores for login and enable, the problem still exist if the customer chooses two factor for enable right?

hslai
Cisco Employee
Cisco Employee

Yep, if customers choose it that way.

IMHO It's essential two factors with one ID store for login and another for enable so customers need not send AD credentials to OTP. Anyhow, it's up to the customers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: