Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4527
Views
10
Helpful
8
Replies

MFA for ISE admin access?

Go to solution
reggie_obos
Level 1
Level 1

‎10-19-2018 03:23 AM

Hello guys, is it possible to enable MFA for admin access to the ISE PAN? Im trying to use Ping ID for authentication and then our AD groups for authorization. But when I go to admin groups, it would only refer to  PingID as the source and not the AD. Thanks in advance!

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to reggie_obos

‎10-22-2018 04:31 AM

Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...

For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.

View solution in original post

8 Replies 8

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎10-19-2018 03:38 AM

Hi,
MFA is not supported for ISE login. You can either use AD or ping I'd.
-Aravind
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-20-2018 04:56 PM

When using RSA or a generic RADIUS token source as the ID source for ISE web admin access, it is external authentication and internal authorization; that is, the authentication is using the RSA or the generic RADIUS token server while the authorization is based on the internal admin groups. The latter is accomplished by our creating a shadow admin user and assign it to the proper internal admin group for admin access. See the screen shot of a sample shadow admin user and the screen capture video of ISE admin web login using Duo MFA/2FA.

 

Screen Shot 2018-10-20 at 4.53.54 PM.png

 

 

(view in My Videos)

Go to solution
reggie_obos
Level 1
Level 1
In response to hslai

‎10-22-2018 04:08 AM

Thank you for the reply! 

What i actually want to do is use AD groups and assign them to the internal admin groups instead of creating individual admin users. When I go to Admin > Admin Access> Admin Groups, select a group (i.e. Super Admin), and select "External", ISE uses the RADIUS token as the identity source. How can i change it to use AD for Authorization?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to reggie_obos

‎10-22-2018 04:31 AM

Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...

For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.

Go to solution
reggie_obos
Level 1
Level 1
In response to hslai

‎10-22-2018 04:37 AM

This is helpful. Thank you!

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to hslai

‎12-14-2018 09:12 AM

are there instructions how to accomplish this in a step by step manner?
0 Helpful

Go to solution
karunanithi
Level 1
Level 1
In response to hslai

‎05-18-2023 07:04 AM

Hi 

I have a similar use case for ISE admin access using External RADIUS proxy with Okta Cloud. My request is not getting authenticated. Any steps I am missing I dont know. ISE version is 3.1

Any help ?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to karunanithi

‎05-18-2023 07:13 PM

Here is information on the flow and example ISE configuration with Duo MFA. I suspect you would need to take a similar approach with Okta if you're looking to use a RADIUS proxy flow.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214813-configure-duo-two-factor-authentication.html

The other option would be using SAML, which was introduced as a feature enhancement in ISE 3.1.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_asset_visibility.html#task_h2d_4rn_znb

 

0 Helpful
Customers Also Viewed These Support Documents