10-19-2018 03:23 AM
Hello guys, is it possible to enable MFA for admin access to the ISE PAN? Im trying to use Ping ID for authentication and then our AD groups for authorization. But when I go to admin groups, it would only refer to PingID as the source and not the AD. Thanks in advance!
Solved! Go to Solution.
10-22-2018 04:31 AM
Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...
For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.
10-19-2018 03:38 AM
10-20-2018 04:56 PM
When using RSA or a generic RADIUS token source as the ID source for ISE web admin access, it is external authentication and internal authorization; that is, the authentication is using the RSA or the generic RADIUS token server while the authorization is based on the internal admin groups. The latter is accomplished by our creating a shadow admin user and assign it to the proper internal admin group for admin access. See the screen shot of a sample shadow admin user and the screen capture video of ISE admin web login using Duo MFA/2FA.
10-22-2018 04:08 AM
Thank you for the reply!
What i actually want to do is use AD groups and assign them to the internal admin groups instead of creating individual admin users. When I go to Admin > Admin Access> Admin Groups, select a group (i.e. Super Admin), and select "External", ISE uses the RADIUS token as the identity source. How can i change it to use AD for Authorization?
10-22-2018 04:31 AM
Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...
For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.
10-22-2018 04:37 AM
This is helpful. Thank you!
12-14-2018 09:12 AM
05-18-2023 07:04 AM
Hi
I have a similar use case for ISE admin access using External RADIUS proxy with Okta Cloud. My request is not getting authenticated. Any steps I am missing I dont know. ISE version is 3.1
Any help ?
05-18-2023 07:13 PM
Here is information on the flow and example ISE configuration with Duo MFA. I suspect you would need to take a similar approach with Okta if you're looking to use a RADIUS proxy flow.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214813-configure-duo-two-factor-authentication.html
The other option would be using SAML, which was introduced as a feature enhancement in ISE 3.1.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_asset_visibility.html#task_h2d_4rn_znb
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide