cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2687
Views
0
Helpful
2
Replies

TACACS+ support for 2-Factor Authentication

Michael McPhee
Cisco Employee
Cisco Employee

Hello,

I have received several recent requests for 2FA with TACACS support in ISE 2.0, with some customers indicating they have been told by other customers that "it works".  Having looked through the documentation, I have not seen anything to indicate we support it.  Can anyone provide details as to when it will be supported, or if it already is - how it is supported?

I know this is something we have done for a long time in both ACS and ISE for network access using RADIUS.

I can only locate the link to the Pragma Systems announcement and solution from CLUS 2015, but that appears to be certificate based and rely on their assistance and some features in both the terminal program and their use of OCSP to make this work.  How about for RSA tokens, OTPs, certificates, etc?  Any plans there?

Thank you!

1 Accepted Solution

Accepted Solutions

Aaron Woland
Cisco Employee
Cisco Employee

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

View solution in original post

2 Replies 2

Aaron Woland
Cisco Employee
Cisco Employee

Yes it is.  You just point to the external 2-factor system as the Identity Source for the Authentication; just like with network access.

In the Device Administration WorkCenter, look for Ext ID Source (External ID Sources).

Aaron

hslai
Cisco Employee
Cisco Employee

In case of certificates or pubkey for SSH, then the authentication will be local. However, it's possible to continue with T+ EXEC authorization, command authorization, and accounting, depending on the network device T+ implementation.