Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1123
Views
1
Helpful
7
Replies

MFA integration with cisco ISE

Alexander Callum
Level 1
Level 1

‎09-17-2024 02:05 AM - edited ‎09-25-2024 05:50 AM

The goal is for the second of authentication factor to be required.
I've been trying to figure out for some time if there is a solution that would allow us to meet these requirements, I would be grateful if someone could help me.

0 Helpful
7 Replies 7

ahollifield
VIP
VIP

‎09-17-2024 08:51 AM

Native DUO in 3.3+?

Alexander Callum
Level 1
Level 1
In response to ahollifield

‎09-17-2024 08:57 AM

does not meet all the requirements including session caching and MFA for SSH. In addition, 3.3+ is a beta and not an official product.

 

0 Helpful

ahollifield
VIP
VIP
In response to Alexander Callum

‎09-17-2024 09:04 AM

What? MFA for SSH is certainly supported.... via TACACS+.....  3.3 is not a beta.  3.4 is also not a beta release?  What do you mean?

0 Helpful

Alexander Callum
Level 1
Level 1
In response to ahollifield

‎09-18-2024 06:26 AM

I didn't mean that mfa for ssh is not supported, but I can't understand how the session cahing mechanism can work with ssh,

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Alexander Callum

‎09-26-2024 03:20 PM - edited ‎09-26-2024 03:21 PM

You didn't give any specific requirements for your MFA solution in your original post. Please be very specific in your future requests to save everyone a lot of time. 

https://duckduckgo.com/?t=ffab&q=ise+mfa+integration gives you many, many answers and options to try. I also did a webinar about it: ▷ ISE & Duo Integration for MFA 2024-01-09. Search the ISE BERG for "mfa" for options, too.

ISE 3.3 has been released for over a year and 3.4 has been released for months. See https://cs.co/ise-software.

Whatever sources of information you have been using are incredibly inaccurate. Please use the following authoritative sources:

  ISE BERG (Big Encyclopedic Resource Guide) (https://cs.co/ise-berg)
 ISE Webinars (https://cs.co/ise-webinars) : First week of every month!
 ISE YouTube Channel: (https://cs.co/ise-youtube) : ISE Webinar archive and more!
 ISE Training (https://cs.co/ise-training) : YouTube, Cisco Live, and more!
 ISE Bar Public Webex Space (http://cs.co/ise-bar) Public means Customers, Competitors... Anyone.

 

0 Helpful

JPavonM
VIP
VIP

‎09-30-2024 02:25 AM

Cisco ISE with MFA (DUO or Token server with MS NPS) provides a caching mechanism that can be manually set so to avoid admin users from continnuosly approving the MFA push notification (ir validation code) if they access to network devices consecutively.
This is something that an be enabled or disabled as you wish:

JPavonM_0-1727688256949.png

By the way, take care of configuring 2FA for GUI interfaces as they don't use to support TOTP but only push notifications. (Cisco WLC GUI, Palo Alto, F5, ...)

 

0 Helpful

jepema
Level 1
Level 1

‎04-16-2025 06:16 AM

Hi,

I know this is a rather old post, but does anyone have some screenshots or documentation you can share about using Cisco ISE together with Microsoft NPS for device admin access? We've tried the setup below but it does not work as expected (yet).f5 mfa.png

The Microsoft NPS is configured as a RADIUS Token and set to use as Identity Store underneath Allowed Protocols in the AuthN section of the Policy Set. The AuthZ section contains only some AD groups as Condition. The problem we have is the userid/password check; even with a wrong password we get a MFA.

Any idea or suggestion would be much appreciated.

0 Helpful
Top