Solved: MFA for ISE admin access?

reggie_obos · ‎10-19-2018

Hello guys, is it possible to enable MFA for admin access to the ISE PAN? Im trying to use Ping ID for authentication and then our AD groups for authorization. But when I go to admin groups, it would only refer to PingID as the source and not the AD. Thanks in advance!

hslai · ‎10-22-2018

Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...

For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.

View solution in original post

Aravind Ravichandran · ‎10-19-2018

Hi,
MFA is not supported for ISE login. You can either use AD or ping I'd.

-Aravind

hslai · ‎10-20-2018

When using RSA or a generic RADIUS token source as the ID source for ISE web admin access, it is external authentication and internal authorization; that is, the authentication is using the RSA or the generic RADIUS token server while the authorization is based on the internal admin groups. The latter is accomplished by our creating a shadow admin user and assign it to the proper internal admin group for admin access. See the screen shot of a sample shadow admin user and the screen capture video of ISE admin web login using Duo MFA/2FA.

Screen Shot 2018-10-20 at 4.53.54 PM.png

iseAdminDuoMFA_2019-10-20.mov

Video Player is loading.

Current Time 0:00

Duration 0:00

Loaded: 0%

Stream Type LIVE

Remaining Time 0:00

(view in My Videos)

reggie_obos · ‎10-22-2018

Thank you for the reply!

What i actually want to do is use AD groups and assign them to the internal admin groups instead of creating individual admin users. When I go to Admin > Admin Access> Admin Groups, select a group (i.e. Super Admin), and select "External", ISE uses the RADIUS token as the identity source. How can i change it to use AD for Authorization?

hslai · ‎10-22-2018

Authorization on AD groups is available only when the AD join point selected as the external ID source for ISE admin. See Integrate ISE with MS Active Directory ...

For RSA or a generic RADIUS token server, the only option is to use the internal admin groups for authorizations.

reggie_obos · ‎10-22-2018

This is helpful. Thank you!

Steven Williams · ‎12-14-2018

are there instructions how to accomplish this in a step by step manner?

karunanithi · ‎05-18-2023

Hi

I have a similar use case for ISE admin access using External RADIUS proxy with Okta Cloud. My request is not getting authenticated. Any steps I am missing I dont know. ISE version is 3.1

Any help ?

Greg Gibbs · ‎05-18-2023

Here is information on the flow and example ISE configuration with Duo MFA. I suspect you would need to take a similar approach with Okta if you're looking to use a RADIUS proxy flow.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214813-configure-duo-two-factor-authentication.html

The other option would be using SAML, which was introduced as a feature enhancement in ISE 3.1.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_asset_visibility.html#task_h2d_4rn_znb