Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
5
Replies

Supplicant Settings for 2Factor dot1x Authenitcation

umahar
Cisco Employee
Cisco Employee

‎03-05-2018 11:01 AM

Hi,

I have a customer who wants to use SafeNet for 2-factor authentication for dot1x.

According to the SafeNet ISE integration guide for VPN, SafeNet is added as a Radius Server Token so I am guessing the same configuration will be applied for dot1x.

1. What various options do we have for supplicant configuration for a) Windows b) MAC c) Mobile Endpoints endpoints ?

2. The customer also wants the user to only enter its user-id and passcode and does not want the user to enter the AD password. Is this possible ? I've seen an integration with Duo using EAP-GTC but that requires AD username and password.

Thanks in advance

0 Helpful
5 Replies 5

hslai
Cisco Employee
Cisco Employee

‎03-05-2018 01:16 PM

You are correct that ISE supports EAP-GTC with a RADIUS token server as the ID source.

1.a. Windows can use either native supplicant or AnyConnect

1.b. macOS native supplicant and Apple iOS are not specifying the inner method on the endpoints' side. We should be able to use ISE allowed protocols to influence EAP-GTC selected as the inner method.

1.c. My Google Nexus 5X running Android 8.1.0 test device has GTC as one of the options for Phase 2 auth. Thus, I believe newer Android devices likely all have such support.

2. Most token vendors have the options to either OTP alone or combining it with another password. Thus, I believe SafeNet has similar options.

0 Helpful

umahar
Cisco Employee
Cisco Employee
In response to hslai

‎03-05-2018 02:30 PM

Thanks.

I'll test these options out in lab.

I also have another customer who uses RSA token for windows login.

Is it possible to use this RSA token for dot1x authentication in EAP-GTC like we do user authentication in Peap-Mschapv2 by selecting 'Use My Windows login' ? 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to umahar

‎03-05-2018 03:48 PM

After looking again, I am not finding the option to set token or EAP-GTC with Windows native supplicant. Sorry for my mistake. I must have been thinking of smart card.

0 Helpful

umahar
Cisco Employee
Cisco Employee
In response to hslai

‎03-06-2018 07:27 AM

Viktor did mention this briefly.

I think on Windows 10 this can be achieved natively by using EAP-TTLS.

We definitely need a guide or a doc as I see more customers looking for 2FA on dot1x.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to umahar

‎03-08-2018 06:47 PM

When you got everything worked out, please contribute it as a doc to this community. Thanks a lot!

0 Helpful
Customers Also Viewed These Support Documents