cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
1
Helpful
6
Replies

MFA integration with cisco ISE

The goal is for the second of authentication factor to be required.
I've been trying to figure out for some time if there is a solution that would allow us to meet these requirements, I would be grateful if someone could help me.

6 Replies 6

Native DUO in 3.3+?

does not meet all the requirements including session caching and MFA for SSH. In addition, 3.3+ is a beta and not an official product.

 

What? MFA for SSH is certainly supported.... via TACACS+.....  3.3 is not a beta.  3.4 is also not a beta release?  What do you mean?

I didn't mean that mfa for ssh is not supported, but I can't understand how the session cahing mechanism can work with ssh,

You didn't give any specific requirements for your MFA solution in your original post. Please be very specific in your future requests to save everyone a lot of time. 

https://duckduckgo.com/?t=ffab&q=ise+mfa+integration gives you many, many answers and options to try. I also did a webinar about it: ▷ ISE & Duo Integration for MFA 2024-01-09. Search the ISE BERG for "mfa" for options, too.

ISE 3.3 has been released for over a year and 3.4 has been released for months. See https://cs.co/ise-software.

Whatever sources of information you have been using are incredibly inaccurate. Please use the following authoritative sources:

  ISE BERG (Big Encyclopedic Resource Guide) (https://cs.co/ise-berg)
 ISE Webinars (https://cs.co/ise-webinars) : First week of every month!
 ISE YouTube Channel: (https://cs.co/ise-youtube) : ISE Webinar archive and more!
 ISE Training (https://cs.co/ise-training) : YouTube, Cisco Live, and more!
 ISE Bar Public Webex Space (http://cs.co/ise-bar) Public means Customers, Competitors... Anyone.

 

JPavonM
VIP
VIP

Cisco ISE with MFA (DUO or Token server with MS NPS) provides a caching mechanism that can be manually set so to avoid admin users from continnuosly approving the MFA push notification (ir validation code) if they access to network devices consecutively.
This is something that an be enabled or disabled as you wish:

JPavonM_0-1727688256949.png

By the way, take care of configuring 2FA for GUI interfaces as they don't use to support TOTP but only push notifications. (Cisco WLC GUI, Palo Alto, F5, ...)