Solved: Router/Switch 2 Factor authentication using ISE/TACACS and Safenet/Gemalto token RADIUS service

CSCO10576352 · ‎02-16-2019

Hi, I have been asked to look into implementing two factor authentication for device logon to our routers/switches/ASA firewalls using ISE with Safenet (Gemalto) providing the external RADIUS token services.

Is this scenario actually possible ? The documentation I have seen in relation to ISE on the Safenet site seems specific to 2FA for the purposes of ASA VPN services and not for actual local device access to the routers/switches/ASA's themselves which is what we are being asked to implement.

Currently device logon is done using TACACS authentication/authorisation against ISE which subsequently is setup to check the user credentials within AD.

The proposal we are being asked to implement is to amend this so:

User has to enter both AD credentials via TACACS and a one time passcode/token from Safenet (which uses RADIUS).

The intention would be to let the authorisation aspect remain within ISE/TACACS.

Has anyone set up a similar solution with ISE/Safenet 2FA services?

As per above is this even a feasible option, for example how is it seen/configured from the router/switch end in AAA?

Thanks for taking the time to read through and I appreciate any feedback.

CSCO10576352 · ‎04-07-2019

I managed to get this working in a lab setup using DUO Security as the 2FA provider.

I also found the below useful should anyone else be on a similar path:

DUO and ISE setup

View solution in original post

Mike.Cifelli · ‎02-16-2019

I am not familiar with implementing Safenet for 2FA. However, you can accomplish something similar using common access cards. See this: https://www.pragmasys.com/products/support/cisco-2-factor

Obviously not exactly what you are looking for, but this provides another option you can potentially use. More importantly this should help you with your configuration questions from a AAA standpoint. Tweak things as needed to match your environment.

HTH!

hslai · ‎02-16-2019

As ISE inherits T+ from ACS, please take a look at this guide -- 007-013144-001_SAS_IntegrationGuide_Cisco_Secure_ACS_LDAP_RADIUS_RevA.pdf The diagram in page 6 is pretty much it except we will replace RADIUS in Steps 2 and 6 with T+.

bern81 · ‎02-19-2019

Hi,

I used Gemalto for our employees ASA Remote Access VPN with 2FA.

You need to add the Gemalto IP address when creating a Radius server in ASA.

Then in the specified Tunnel-Group/Connection Profile use secondary authentication where you can point to the ISE radius or Local user DB (not advisable).

CSCO10576352 · ‎03-06-2019

Thanks for the feedback everyone, I have had to temporarily park this due to other commitments but my plan is to lab the proposed solution, once done I will endeavour to feedback my findings here.

CSCO10576352 · ‎04-07-2019

I managed to get this working in a lab setup using DUO Security as the 2FA provider.

I also found the below useful should anyone else be on a similar path:

DUO and ISE setup

mnagakum · ‎06-21-2023

Have a look at this Demo shared by Cisco (https://www.youtube.com/watch?v=daj4KqaeNNE&t=2104s)
It answers your particular use case. Go to 40:37 for the Demo