Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1471
Views
0
Helpful
6
Replies

Seeking Clarity on 2FA "compatibility" with ISE

Go to solution
ggriesse@cisco.com
Cisco Employee
Cisco Employee

‎08-05-2019 12:49 AM

Hi all 

 

I just want to be clear on 2FA support with ISE , i have a customer mainly asking for 2FA on AAA for wired/Wireless Auth 

 

From what I understand the following is possible with 2FA ?

1) Admin Logins on ISE portals 

2) VPN AAA (AnyConnect and ISE Auth) 

3) TACACS+ 

 

what is NOT possible with 2FA ?

1) Normal AAA on Wired and Wireless (EAP-MSchap or EAP-TLS) 

2) Other NON-Admin Portals on ISE 

 

Is that correct ? 

 

Thx

Greg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to ggriesse@cisco.com

‎08-05-2019 06:06 AM

From what I understand the following is possible with 2FA ?
1) Admin Logins on ISE portals
2) VPN AAA (AnyConnect and ISE Auth)
3) TACACS+
Correct.
One option not relating to this comment: When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator is to use Yubikey. It is simply just another physical medium that will allow you to accomplish 2FA.
Not sure if you are running NAM with Anyconnect, but I know you can run with eap-fast to accomplish eap-chaining. Essentially in this scenario you would use eap-fast with eap-tls to authenticate computers via certificate and users via Yubikey + pin. I have tested this and this works if you have the appropriate hardware and drivers.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎08-05-2019 04:36 AM

Depends on your definition of 2FA. Can you please let us the customer’s expectation of 2FA or what they have in mind to do with ISE ? ISE in itself does not provide the 2FA but does work with other authentication servers/providers to facilitate this to an extent. Check these out https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120 , https://community.cisco.com/t5/identity-services-engine-ise/ise-as-two-factor-authentication-tool/td-p/3450391 , https://community.cisco.com/t5/vpn-and-anyconnect/ise-two-factor-authentication-with-different-identity-store/td-p/3428646


0 Helpful

Go to solution
ggriesse@cisco.com
Cisco Employee
Cisco Employee
In response to Surendra

‎08-05-2019 05:11 AM

Ok Fair enough I should have been clearer ...

 

When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator 

 

/Greg

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to ggriesse@cisco.com

‎08-05-2019 06:06 AM

From what I understand the following is possible with 2FA ?
1) Admin Logins on ISE portals
2) VPN AAA (AnyConnect and ISE Auth)
3) TACACS+
Correct.
One option not relating to this comment: When I say 2FA - the custom is expecting something like DUO / RSA Token / Google Auth / Microsoft Authenticator is to use Yubikey. It is simply just another physical medium that will allow you to accomplish 2FA.
Not sure if you are running NAM with Anyconnect, but I know you can run with eap-fast to accomplish eap-chaining. Essentially in this scenario you would use eap-fast with eap-tls to authenticate computers via certificate and users via Yubikey + pin. I have tested this and this works if you have the appropriate hardware and drivers.
0 Helpful

Go to solution
ggriesse@cisco.com
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎08-05-2019 11:49 PM

Thx for the replies

 

the customer wants second-factor auth for AAA for Wired and Wireless for all devices 

 

So from what I understand the only way to do 2FA (MFA) via token / Ubikey / Whatever on Wired/Wireless AAA is using eap-fast ? ie NO EAP-Mschav2 or EAP-TLS ?

 

That means it will exclude Mobile devices .. as clients will have to use AC Nam with EAP chaining ...

 

Is that correct? any other ways to achieve this?

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to ggriesse@cisco.com

‎08-07-2019 11:27 AM

"the customer wants second-factor auth for AAA for Wired and Wireless for all devices " -- > This is not possible with the way ISE works right now. I am assuming you mean to say 802.1x authentication with multi factor authentication. To be honest, the protocol itself doesn't support this.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Surendra

‎08-07-2019 11:33 AM

If you really want that you could force them through a CWA portal using SAML to DUO for example
0 Helpful
Top