09-17-2024 02:05 AM - edited 09-25-2024 05:50 AM
The goal is for the second of authentication factor to be required.
I've been trying to figure out for some time if there is a solution that would allow us to meet these requirements, I would be grateful if someone could help me.
09-17-2024 08:51 AM
Native DUO in 3.3+?
09-17-2024 08:57 AM
does not meet all the requirements including session caching and MFA for SSH. In addition, 3.3+ is a beta and not an official product.
09-17-2024 09:04 AM
What? MFA for SSH is certainly supported.... via TACACS+..... 3.3 is not a beta. 3.4 is also not a beta release? What do you mean?
09-18-2024 06:26 AM
I didn't mean that mfa for ssh is not supported, but I can't understand how the session cahing mechanism can work with ssh,
09-26-2024 03:20 PM - edited 09-26-2024 03:21 PM
You didn't give any specific requirements for your MFA solution in your original post. Please be very specific in your future requests to save everyone a lot of time.
https://duckduckgo.com/?t=ffab&q=ise+mfa+integration gives you many, many answers and options to try. I also did a webinar about it: ▷ ISE & Duo Integration for MFA 2024-01-09. Search the ISE BERG for "mfa" for options, too.
ISE 3.3 has been released for over a year and 3.4 has been released for months. See https://cs.co/ise-software.
Whatever sources of information you have been using are incredibly inaccurate. Please use the following authoritative sources:
ISE Webinars (https://cs.co/ise-webinars) : First week of every month!
ISE YouTube Channel: (https://cs.co/ise-youtube) : ISE Webinar archive and more!
ISE Training (https://cs.co/ise-training) : YouTube, Cisco Live, and more!
ISE Bar Public Webex Space (http://cs.co/ise-bar) Public means Customers, Competitors... Anyone.
09-30-2024 02:25 AM
Cisco ISE with MFA (DUO or Token server with MS NPS) provides a caching mechanism that can be manually set so to avoid admin users from continnuosly approving the MFA push notification (ir validation code) if they access to network devices consecutively.
This is something that an be enabled or disabled as you wish:
By the way, take care of configuring 2FA for GUI interfaces as they don't use to support TOTP but only push notifications. (Cisco WLC GUI, Palo Alto, F5, ...)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide