Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
1
Helpful
3
Replies

Is Cisco ISE NAC and 2FA at Windows Logon possible?

yauhn
Level 1
Level 1

‎09-27-2023 08:16 AM - last edited on ‎09-27-2023 08:35 AM by Community Manager

Is it possible to have both network access control on our vlans and a two factor authentication in place (ex. Cisco DUO) at windows logon?

So we want to have users logon to their windows machine and at that point in time they are thrown in an isolated vlan with access only to DUO servers so they can approve Cisco DUO's 2FA challenge on their phone and complete authentication, and then ISE redirects them to whichever vlan they have access to. Is this even possible?

https://vlc.onl/
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-27-2023 08:47 AM

this is possible - is this for wired or wireless clients.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

melchimus
Level 1
Level 1
In response to balaji.bandi

‎10-02-2023 07:58 AM - edited ‎10-02-2023 08:02 AM

So this question was copied from a post that I posted on Reddit:
(7) Is Cisco ISE NAC and 2FA at Windows Logon possible? : Cisco (reddit.com)

To reply to your question: If possible we wish to apply this to both wired and wireless. To recap - we want to have 2FA at windows logon and then have NAC applied once the user authenticates. We have also moved away from Windows Hello for Business rightly because it stores biometric data locally on the TPM, hence it will never pass the auth details to Cisco ISE. We're trying DUO now, at Windows logon, however, since the user would not have obviously authenticated yet, they would not have any access to the DUO servers on the internet, and they will be prompted with an offline code on every startup. Is there anyway around this? Maybe set the user on an isolated VLAN at logon, with access only to DUO servers..so far we have not managed to find the right solution to what we have in mind.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to melchimus

‎10-02-2023 08:23 AM - edited ‎10-02-2023 08:24 AM

When doing this you will just need to put a pre-auth-ACL in place allowing access to the Duo servers. It will need to include the Duo IPs (https://help.duo.com/s/article/1337?language=en_US) in addition to allowing DCHP and DNS.

More info here: https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId-1594628171

Add the Duo servers' public IPs to the ACL in that example and name it according to the usage.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card