03-25-2016 05:44 PM
ISE experts,
My customer is using ISE for TACACS and would like to enable two factor authentication.
They currently have their two factor authentication server configured as an external identity store which works as expected. Problem is, when ISE sends the request to the RADIUS token server for authentication, it sends the AD username/password along with the token. If an admin with access to the RADIUS token server runs a debug, they can see the user’s active directory password which they want to avoid.
Question – Is it possible for ISE to separate the authentication request? Something like this:
Or alternative:
Thanks for your help!
Solved! Go to Solution.
03-25-2016 09:04 PM
Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.
What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.
03-25-2016 09:04 PM
Neither really supported by ISE today. I think your customer's token server supporting it because it has the inside knowledge which characters belong to OTP and the reset that of AD passwords.
What supported in ISE is CWA chaining -- to use AD to perform one auth (e.g. DOT1X) and then redirect to an ISE guest portal and authenticated by token.
03-26-2016 11:55 AM
Also it is common to use different ID stores for login and enable, by using the TACACS dictionary.
Please see that is an option for your customers.
03-28-2016 02:32 PM
Thanks for getting back to me. If we use different ID stores for login and enable, the problem still exist if the customer chooses two factor for enable right?
03-28-2016 02:44 PM
Yep, if customers choose it that way.
IMHO It's essential two factors with one ID store for login and another for enable so customers need not send AD credentials to OTP. Anyhow, it's up to the customers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: