10-06-2016 11:41 AM - edited 03-11-2019 12:08 AM
I am currently running Cisco Secure ACS for TACACS and other things. I have to move to another platform due to PCI DSS 3.2 requirements.
ISE is the leading contender to replace ACS but I also have a requirement to implement multi-factor authentication (MFA) everywhere.
The ISE 2.1 implementation guide states that RSA Secure-ID is supported for MFA with TACACS logins. I don't have RSA Secure-ID and likely won't ever have it.
The implementation guide and my Cisco vendor also make the more general statement that ISE will work with any MFA solution that has a RADIUS compliant front-end. That's nice because I already have one of those (SafeNet/SafeWord). What they aren't saying is whether that will work specifically for authenticating TACACS authentications. The only docs I can find on this subject are all/only about ISE doing this for RADIUS clients such as the Cisco ASA handling Anyconnect VPN client.
Has anybody gotten ISE TACACS to work with MFA with anything other than Secure-ID? Got links?
Solved! Go to Solution.
10-10-2016 10:40 AM
Click on your name in the top right to see your profile. Then choose the "Message" tab and click on "New Message".
10-09-2016 05:42 PM
I'm told on good authority that SafeNet/SafeWord will indeed work with ISE 2.1+ as your TACACS server.
It relies on the fact that it works with all "RADIUS devices that adhere to the standard protocols".
Sorry but we don't have any doc or links for it.
10-10-2016 09:54 AM
Thanks for the reply Marvin!
Unfortunately, I have to be absolutely sure before making a recommendation to purchase. I was pretty sure myself a while ago but when I went through one of the SafeWord implementation guides it was only about RADIUS clients and it relied on the RADIUS challenge/response feature which is not present in the TACACS protocol, and when I looked more closely at the language used by my Cisco contact and others, I saw words like "believe" and "expect" rather than a definitive response like "Yes it will work".
I hope I don't have to install ISE with a trial license and figure it out myself.
10-10-2016 09:57 AM
Message me with your contact details - I will endeavor to put you in touch with some Cisco resources who can confirm your due diligence investigation.
10-10-2016 10:31 AM
Thanks Marvin.
Is there a way to send a private message within the forum? I'm not seeing one.
10-10-2016 10:40 AM
Click on your name in the top right to see your profile. Then choose the "Message" tab and click on "New Message".
04-03-2019 12:14 PM
Ok, so I understand that MFA authentication is only provided by 3rd parties vendors. For a RSA and a ISE cisco shop (our enterprise). What are 2fa options available other than these companies? And if not.
Is there a known configuration to configure a local certificate map to filter non network admins when using RSA to run ssh or asdm? Our RSA db is not connected to ldap.
Additionally: Can ISE proxy the RSA/SDI communication similar to how we have our Anyconnect clients currently configured.
MFA is easier using the remote access config because the server instance can do certificate plus username and password. thx marvin. Struggling here with 800-171 issues.
08-02-2018 05:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide