Solved: Re: Seeking Clarity on 2FA "compatibility" with ISE

ggriesse@cisco.com · ‎08-05-2019

Hi all

I just want to be clear on 2FA support with ISE , i have a customer mainly asking for 2FA on AAA for wired/Wireless Auth

From what I understand the following is possible with 2FA ?

1) Admin Logins on ISE portals

2) VPN AAA (AnyConnect and ISE Auth)

3) TACACS+

what is NOT possible with 2FA ?

1) Normal AAA on Wired and Wireless (EAP-MSchap or EAP-TLS)

2) Other NON-Admin Portals on ISE

Is that correct ?

Thx

Greg

Mike.Cifelli · ‎08-05-2019

From what I understand the following is possible with 2FA ?
1) Admin Logins on ISE portals
2) VPN AAA (AnyConnect and ISE Auth)
3) TACACS+
Correct.
One option not relating to this comment: When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator is to use Yubikey. It is simply just another physical medium that will allow you to accomplish 2FA.
Not sure if you are running NAM with Anyconnect, but I know you can run with eap-fast to accomplish eap-chaining. Essentially in this scenario you would use eap-fast with eap-tls to authenticate computers via certificate and users via Yubikey + pin. I have tested this and this works if you have the appropriate hardware and drivers.

View solution in original post

Surendra · ‎08-05-2019

Depends on your definition of 2FA. Can you please let us the customer’s expectation of 2FA or what they have in mind to do with ISE ? ISE in itself does not provide the 2FA but does work with other authentication servers/providers to facilitate this to an extent. Check these out https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120 , https://community.cisco.com/t5/identity-services-engine-ise/ise-as-two-factor-authentication-tool/td-p/3450391 , https://community.cisco.com/t5/vpn-and-anyconnect/ise-two-factor-authentication-with-different-identity-store/td-p/3428646

ggriesse@cisco.com · ‎08-05-2019

Ok Fair enough I should have been clearer ...

When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator

/Greg

Mike.Cifelli · ‎08-05-2019

From what I understand the following is possible with 2FA ?
1) Admin Logins on ISE portals
2) VPN AAA (AnyConnect and ISE Auth)
3) TACACS+
Correct.
One option not relating to this comment: When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator is to use Yubikey. It is simply just another physical medium that will allow you to accomplish 2FA.
Not sure if you are running NAM with Anyconnect, but I know you can run with eap-fast to accomplish eap-chaining. Essentially in this scenario you would use eap-fast with eap-tls to authenticate computers via certificate and users via Yubikey + pin. I have tested this and this works if you have the appropriate hardware and drivers.

ggriesse@cisco.com · ‎08-05-2019

Thx for the replies

the customer wants second-factor auth for AAA for Wired and Wireless for all devices

So from what I understand the only way to do 2FA (MFA) via token / Ubikey / Whatever on Wired/Wireless AAA is using eap-fast ? ie NO EAP-Mschav2 or EAP-TLS ?

That means it will exclude Mobile devices .. as clients will have to use AC Nam with EAP chaining ...

Is that correct? any other ways to achieve this?

Surendra · ‎08-07-2019

"the customer wants second-factor auth for AAA for Wired and Wireless for all devices " -- > This is not possible with the way ISE works right now. I am assuming you mean to say 802.1x authentication with multi factor authentication. To be honest, the protocol itself doesn't support this.

Jason Kunst · ‎08-07-2019

If you really want that you could force them through a CWA portal using SAML to DUO for example