Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5104
Views
15
Helpful
5
Replies

Router/Switch 2 Factor authentication using ISE/TACACS and Safenet/Gemalto token RADIUS service

CSCO10576352
Level 1
Level 1

‎02-16-2019 02:15 PM

Hi, I have been asked to look into implementing two factor authentication for device logon to our routers/switches/ASA firewalls using ISE with Safenet (Gemalto) providing the external RADIUS token services.

 

Is this scenario actually possible ? The documentation I have seen in relation to ISE on the Safenet site seems specific to 2FA for the purposes of ASA VPN services and not for actual local device access to the routers/switches/ASA's themselves which is what we are being asked to implement.

 

Currently device logon is done using TACACS authentication/authorisation against ISE which subsequently is setup to check the user credentials within AD.

 

The proposal we are being asked to implement is to amend this so:

 

User has to enter both AD credentials via TACACS and a one time passcode/token from Safenet (which uses RADIUS).

The intention would be to let the authorisation aspect remain within ISE/TACACS.

 

Has anyone set up a similar solution with ISE/Safenet 2FA services?

 

As per above is this even a feasible option, for example how is it seen/configured from the router/switch end in AAA?

 

Thanks for taking the time to read through and I appreciate any feedback.

 

 

 

0 Helpful
5 Replies 5

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-16-2019 02:36 PM

I am not familiar with implementing Safenet for 2FA. However, you can accomplish something similar using common access cards. See this: https://www.pragmasys.com/products/support/cisco-2-factor

Obviously not exactly what you are looking for, but this provides another option you can potentially use. More importantly this should help you with your configuration questions from a AAA standpoint. Tweak things as needed to match your environment.

HTH!

hslai
Cisco Employee
Cisco Employee

‎02-16-2019 07:48 PM

As ISE inherits T+ from ACS, please take a look at this guide -- 007-013144-001_SAS_IntegrationGuide_Cisco_Secure_ACS_LDAP_RADIUS_RevA.pdf  The diagram in page 6 is pretty much it except we will replace RADIUS in Steps 2 and 6 with T+.

bern81
Level 1
Level 1
In response to hslai

‎02-19-2019 05:09 AM

Hi,

 

I used Gemalto for our employees ASA Remote Access VPN with 2FA.

 

You need to add the Gemalto IP address when creating a Radius server in ASA.

 

Then in the specified Tunnel-Group/Connection Profile use secondary authentication where you can point to the ISE radius or Local user DB (not advisable).

 

 

CSCO10576352
Level 1
Level 1
In response to bern81

‎03-06-2019 06:22 AM

Thanks for the feedback everyone, I have had to temporarily park this due to other commitments but my plan is to lab the proposed solution, once done I will endeavour to feedback my findings here.

0 Helpful

mnagakum
Cisco Employee
Cisco Employee

‎06-21-2023 09:53 PM

Have a look at this Demo shared by Cisco (https://www.youtube.com/watch?v=daj4KqaeNNE&t=2104s)
It answers your particular use case. Go to 40:37 for the Demo

0 Helpful
Customers Also Viewed These Support Documents