Solved: Two factor authentication on LAN

vgoda · ‎01-10-2018

Hello Team,

I had a query on two factor authentication on LAN, can this be achievable on LAN. The requirement is to have the following-

- When the user connects his laptop on LAN, he should authenticate using his domain login and he should be prompted for a second factor before he is allowed access to the LAN.

- What is the licensing requirement to achieve this?

- Is there a limitation on the switch capability for this? Any particular variant only that supports this?

Regards,

Vikram

Craig Hyps · ‎01-10-2018

Vikram,

As already discussed on your internal post...

Yes, this is achievable in many different ways. Here a pointer to a particular session (BRKSEC-3697 from Melbourne 2017) which touches on various methods to achieve multiple identity auth. Also, OTP is supported for 802.1X and WebAuth to allow Token servers like RSA to be used as the ID store.

Craig

View solution in original post

ognyan.totev · ‎01-10-2018

Hello,

1st Domain machine + certificate on machine

2nd Domain user + certificate on user(or username or password)

This will be simple dot1x authentication.\

You can check this Two Factor Authentication on ISE – 2FA on ISE

hslai · ‎01-10-2018

ISE does single authentications, other than EAP Chaining and CWA Chaining. However, a single authentication can be done with a multi-factor software/device. If not done already, I would suggest you to read:

Why Multi-Factor and Two-Factor Authentication May Not Be the Same
SP 800-63B (esp. 4. Authenticator Assurance Levels):
- Multi-Factor OTP by itself can achieve AAL2.

Craig Hyps · ‎01-10-2018

Vikram,

As already discussed on your internal post...

Yes, this is achievable in many different ways. Here a pointer to a particular session (BRKSEC-3697 from Melbourne 2017) which touches on various methods to achieve multiple identity auth. Also, OTP is supported for 802.1X and WebAuth to allow Token servers like RSA to be used as the ID store.

Craig