Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1471
Views
4
Helpful
4
Replies

ISE Multi-session User Login, NAC Web Agent and 2FA Query

Go to solution
Abhishek Kumar
Cisco Employee
Cisco Employee

‎02-03-2017 04:04 AM

There are couple of questions that I need confirmation for

  • Same user logged in from multiple locations at the same time, wired/wireless (dot1x) or via VPN. I know there isn’t anything inbuilt in ISE (?) to alert on user logged in from more than 1 location. We can run active session report, export it and do the co-relation separately.

        Q: Can StealthWatch report this easily? How can we stop/alert (the admin) if this happens?

  • A customer has 50% of its workforce as 3rd parties and they need to posture every endpoint. What would be the best solution for this. NAC Web Agent I would assume. Does that also need admin rights for the Web Agent to be installed? I know they cannot remediate with Web Agent but is there any other option other than using AC?
  • ISE support of 2FA. I guess we do that via ASA today with multi authentications options. Is there any other way?

Many thanks,

Abhi

1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎02-03-2017 04:42 AM

Abhishek,

1. This is easily accomplished with ISE 2.2.  Navigate to Administration > System > Settings > Max Sessions

MaxSessions.PNG

2.  This is covered in the Clean Access Manager Installation and Configuration Guide

WebAgent.PNG

3. You can perform both authentications of the Two-Factor Authentication flow within ISE.  For example using RSA as the second factor as found Here in the Admin Guide.

RSATwoFactor.PNG

View solution in original post

4 Replies 4

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎02-03-2017 04:42 AM

Abhishek,

1. This is easily accomplished with ISE 2.2.  Navigate to Administration > System > Settings > Max Sessions

MaxSessions.PNG

2.  This is covered in the Clean Access Manager Installation and Configuration Guide

WebAgent.PNG

3. You can perform both authentications of the Two-Factor Authentication flow within ISE.  For example using RSA as the second factor as found Here in the Admin Guide.

RSATwoFactor.PNG

Go to solution
Abhishek Kumar
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎02-03-2017 06:42 AM

Brilliant, thanks Charles.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Abhishek Kumar

‎02-03-2017 10:35 AM

Hi Abhishek,

Few things to remember,

Point 1 above shows how it can be done. Again this is supported in ISE 2.2. However, I dont think we generate alerts on these.

Point 2 above, CCA is an older solution.I would suggest going the ISE route. In ISE 2.2, we have a way to do posture with no URL-redirect that can be used in 3rd party environments. You need Anyconnect for that. Anyconnect has a headless mode where this can be installed without UI. Anyconnect also supports web agent that could be used for non-admin.

For point 3, apart from RSA secure ID, any solution that supports RFC 2865 compliant token server is supported. EAP-chaining can also be considered for two step verification. You can use Symantec VIP with guest for two factor or SAML 2.0 SSO with form-auth. The compatibility guide lists the external ID servers we support

Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco

ISE Design & Integration Guides talks about Symantec VIP.

Thanks

Krishnan

Go to solution
Abhishek Kumar
Cisco Employee
Cisco Employee
In response to kthiruve

‎02-06-2017 02:42 AM

Thanks Krish! Much appreciated..

0 Helpful
Top