Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2595
Views
10
Helpful
5
Replies

Multifactor authentication with ISE and Free RADIUS with Google authenticator

Tibor Bajnok
Level 1
Level 1

‎03-12-2019 01:27 AM - edited ‎02-21-2020 11:03 AM

Hi All,

 

Our current deployment is: authenticate AnyConnenct users using ISE local accounts and ISE as authorization server sending dACL to Firepower (according to user group):

AnyConnect  ->  Firepower  ->  ISE  -> dACL ->  Firepower

 

We tried to build Multifactor Authentication with Free RADIUS (with Google authenticator – RFC2865 compliant) as external RADIUS server of ISE. The MFA is successfull as shown below:

 

AnyConnect  ->  Firepower  ->  ISE  ->  Free RADIUS

                                                              separate username, password and 6 digits PIN

                                                              check 6 digits PIN

                                                              ask back to ISE for user password

                                                              ISE answer: password OK

                ISE  <-  Access-Accept   <-  Free RADIUS

 

Our problem is that, though multifactor authentication is successful, ISE did not send any dACL to Firepower.

Does Anyone have any experience in this? Is it possible to keep the above scenario and make ISE send dACL to Firepower?

 

Thank in advance

Tibor

0 Helpful
5 Replies 5

M. Wisely
Level 4
Level 4

‎03-12-2019 05:15 AM

In your radius server sequence, have you enabled 'On Access-Accept, continue to Authorization Policy' on the advanced tab?

Tibor Bajnok
Level 1
Level 1
In response to M. Wisely

‎03-13-2019 05:45 AM

Thank you for your idea. We tried it but as turned out our policy has some weakness. We have to rearrange things.

0 Helpful

paul
Level 10
Level 10

‎03-12-2019 06:17 AM

I am sure the continue to authorization option will work, but a cleaner approach in my opinion if you don't need any special AV pairs back from free RADIUS is to define the free RADIUS servers as RADIUS token servers in ISE.  Doing this treats the RADIUS servers just like any other external identity source and your policy sets all work the same. 

0 Helpful

Tibor Bajnok
Level 1
Level 1
In response to paul

‎03-14-2019 06:58 AM

Authentication is also successful when Radius acts as Token server, but after authentication ISE needs Group-ID to determine the necessary dACL. ISE waits it from Radius but Radius is not aware of it plus it should be sent via AV pair. ISE does not want to use its own Group-ID for authorization.

0 Helpful

paul
Level 10
Level 10
In response to Tibor Bajnok

‎03-14-2019 08:41 AM

Are these users also in AD?  I usually don't use any attributes coming back from the token server.  I just want it to run the MFA process and give me a yes/no.  Then in the authorization phase you can do all the AD group checks you want to assign the correct DACL.  I like having the AD group checking and control in ISE so everything is apparent.

Customers Also Viewed These Support Documents