Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3297
Views
2
Helpful
4
Replies

ISE Two Factor AuthZ and AuthC with OTP

scamarda
Cisco Employee
Cisco Employee

‎12-15-2016 07:15 AM

Have customer that is using a 3rd party radius server to determine LDAP group membership as an attribute to see if VPN access is authorized before authenticating against an OTP.

Sequence is as follows:

User connects with username and OTP password, VPN concentrator sends credentials to Radius server

Radius server takes username and does LDAP lookup to see if user is a member of VPN-Allowed group

If user is not a member, Radius server returns access-reject

If user is allowed, Radius server then bounces password off of radius-based OTP

If OTP is correct, Radius server returns access accept and several LDAP attibrutes from the user's record to VPN concentrator

This scenario uses authorization (group membership) as the method to verify if the user is allowed VPN before it does authentication against the OTP.  And then returns LDAP attributes inside the radius packet if authc/authz is successful.  AuthZ from LDAP and AuthC from OTP

Is this scenario possible with ISE?

4 Replies 4

hslai
Cisco Employee
Cisco Employee

‎12-15-2016 09:03 AM

Any specific reason to follow the flow sequence exactly like that?

At present, ISE by itself will always perform authentications first before going on with authorizations. ASA supports multiple authentications so I would suggest to contact ASA support teams and see ASA able to perform authorization only in the first auth before going on with real authentication in the 2nd auth.

0 Helpful

scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎12-15-2016 02:18 PM

This configuration is already in place using Juniper Concentrator and Juniper SBR.     User connects to Juniper and enters in their username/OTP.  Juniper forwards to SBR, SBR queries LDAP and if group is correct, then bounces OTP password off of OTP server.  If valid, SBR returns attributes to the concentrator. The customer is looking to replace SBR with ISE if use case is supported.  I believe the order of operations (Authz/AuthC) does not matter.  I just need ISE  to pull user attributes from one credential store and validate the password from another credential store. That's what the customer has in place now.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to scamarda

‎12-15-2016 02:30 PM

You are correct that ISE should be able to achieve the same results in retrieving LDAP attributes, as long as the sequence does not matter.

scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎12-15-2016 04:33 PM

Light went on.  Thanks for the help

0 Helpful
Customers Also Viewed These Support Documents