09-08-2023 06:56 AM
Hello guys,
ISE version 3.2 patch 3, we want to change our old MFA server, to a new one, running Radius NPS (windows). From my understanding, I need to configure a Radius Token Identify source. This has been configured, I've created a local user, then bind it into the admin access section, with Super Admins rights.
I tried to login into the web UI, the radius auth is sent to the NPS, which can be seen in the NPS logs, and seems to be authorized, but I get invalid password, and no MFA is triggered.
NPS logs detected the admin user location in the active directory, which is fine, says it's valid then return like if it was success, but I think the fact that no MFA is triggered gives the invalid username/password.
Note: The MFA is working for other services in the network. (and I am not administring the NPS server, this is a nother team)
I was thinking that maybe this config needs to be setup on the NPS server?
The RADIUS Token server may be configured to return a value in a Cisco av-pair with the format:attribute_name. If this is received from the Token Server, it may be placed into a dictionary value for subsequent authorization policy. To enable this feature, enter a name for the RADIUS Token Dictionary attribute below. |
A common case is a "CiscoSecure-Group-Id" in the Cisco av-pair, using the name CiscoSecure-Group-Id. |
Any tips, help, advice, is really appreciate
Thanks
09-11-2023 04:34 AM
06-10-2024 01:54 AM
I had the same problem and opened a similar question today, but fter reviewing the MS Authenticator APP settings for the admin username I'm using for authentication, and finishing the configuration in the App, I'm now receiving the 'Approve' pop-up and it is working with push notifications (NOT working with verification code).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide