Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1131
Views
0
Helpful
2
Replies

ISE Admin GUI, using Radius for MFA

ChristianLBriere5091
Level 1
Level 1

‎09-08-2023 06:56 AM

Hello guys,

ISE version 3.2 patch 3, we want to change our old MFA server, to a new one, running Radius NPS (windows). From my understanding, I need to configure a Radius Token Identify source. This has been configured, I've created a local user, then bind it into the admin access section, with Super Admins rights.

I tried to login into the web UI, the radius auth is sent to the NPS, which can be seen in the NPS logs, and seems to be authorized, but I get invalid password, and no MFA is triggered.

 

NPS logs detected the admin user location in the active directory, which is fine, says it's valid then return like if it was success, but I think the fact that no MFA is triggered gives the invalid username/password.

Note: The MFA is working for other services in the network. (and I am not administring the NPS server, this is a nother team)

 

I was thinking that maybe this config needs to be setup on the NPS server? 

 

The RADIUS Token server may be configured to return a value in a Cisco av-pair with the format:attribute_name. If this is received from the Token Server, it may be placed into a dictionary value for subsequent authorization policy. To enable this feature, enter a name for the RADIUS Token Dictionary attribute below.
 

A common case is a "CiscoSecure-Group-Id" in the Cisco av-pair, using the name CiscoSecure-Group-Id.

 

 

Any tips, help, advice, is really appreciate

 

Thanks

 

0 Helpful
2 Replies 2

Cisco_Virtual_Engineer
Level 3
Level 3

‎09-11-2023 04:34 AM

To configure RADIUS Token identity source on Cisco ISE, follow these steps:

1. In the Cisco ISE GUI, click the Menu icon () and choose Administration ) Identity Management ) External Identity Sources ) RADIUS Token.

2. On the RADIUS Token Identity Sources window, click Add to create a new RADIUS token server.

3. Enter a name for the RADIUS token server in the Name field.

4. Enter a description for the RADIUS token server in the Description field (optional).

5. Check the SafeWord Server checkbox if your RADIUS identity source is a SafeWord server.

6. Enable the secondary server by checking the Enable Secondary Server checkbox. This will allow Cisco ISE to use the secondary server as a backup in case the primary server fails.

7. Choose whether Cisco ISE should always access the primary server first by clicking the Always Access Primary Server First option.

8. Specify the fallback time to the primary server in minutes by clicking the Fallback to Primary Server after option and entering the desired time.

9. Enter the IP address of the primary RADIUS token server in the Primary Server Host IP field.

10. Enter the shared secret configured on the primary RADIUS token server in the Shared Secret field.

11. Enter the authentication port number on which the primary RADIUS token server is listening.

12. Specify the server timeout value in seconds.

13. Optionally, specify the number of connection attempts Cisco ISE should make to the primary server before moving on to the secondary server.

14. If you have enabled the secondary server, enter the IP address of the secondary RADIUS token server in the Secondary Server Host IP field.

15. Enter the shared secret configured on the secondary RADIUS token server in the Shared Secret field.

16. Enter the authentication port number on which the secondary RADIUS token server is listening.

17. Specify the server timeout value in seconds for the secondary server.

18. Optionally, specify the number of connection attempts Cisco ISE should make to the secondary server before dropping the request.

19. Click Save to save the RADIUS token server configuration.

20. You have now successfully configured the RADIUS token identity source on Cisco ISE.

Note: The specific configuration details may vary depending on your environment and requirements. Refer to the Cisco ISE documentation for more detailed information and configuration options.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

JPavonM
VIP
VIP

‎06-10-2024 01:54 AM

I had the same problem and opened a similar question today, but fter reviewing the MS Authenticator APP settings for the admin username I'm using for authentication, and finishing the configuration in the App, I'm now receiving the 'Approve' pop-up and it is working with push notifications (NOT working with verification code).

 
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card