Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
9347
Views
6
Helpful
0
Comments

Two-Factor Authentication for Cisco Digital Network Architecture (DNA) center Using Cisco ISE and RSA SecurID

dbellamk
Cisco Employee
Cisco Employee

‎04-11-2019 04:43 PM - edited ‎04-11-2019 04:46 PM

 

 

Two-Factor Authentication for Cisco Digital Network Architecture (DNA) center Using Cisco ISE and RSA SecurID

 

Introduction

This Document shows how we can set up two factor authentication using RSA SecurID token with one time token based on a PIN to login to the Cisco DNAC Web interface.

Two factor authentication provides two or more authentication factors to gain access into a secured system. This also increases security by requiring a pin and use a device we have such as laptop ,mobile ,hardware .By using One-time password which is only valid for one login session, we overcome organizational security concerns of using only a static password.

The two factor authentication is supported for Cisco DNAC configured to authenticate the user against an external authentication server over RADIUS/TACACS+ protocols.

Cisco ISE supports the RSA SecurID server as external database and RSA SecurID two factor authentication consists of users PIN and individually registered RSA SecurID token that generates single use token codes.

RSA server validates this code and each RSA SecurID token is unique . When the correct token code is supplied together with a PIN, user is authenticated and thus RSA SecurID servers provide reliable authentication mechanism compared to already set passwords.

 

Prerequisite

Cisco DNAC Appliance 1.2.8

An authentication server such as ISE, or other RADIUS/TACACS+ servers that is able to return cisco-av-pairs to convey the RBAC role authorization of the authenticated Cisco DNAC users.

A two factor token server such as RSA Secure ID that can function as backend of ISE or support the RADIUS protocol above.

Token card or RSA SecurID application on client PC/Mac that generates the login token.

 

Devices Used

 

Cisco DNAC

Cisco ISE 2.3 Patch 1

RSA SecurID Token Server ( RSA Authentication Manager-7.2 )

RSA SecurID Token Client

Authentication Workflow

  1. User generates PIN using RSA SecurID client to get RSA SecurID token

  2. On the Cisco DNAC Login page user enters username and RSA SecurID token

  3. Cisco DNAC will send the username/Passcode request to Cisco ISE over RADIUS Protocol

  4. ISE in turn sends it to the RSA AM

  5. RSA AM sends it to ISE that authentication is successful

  6. ISE matches the authenticated user to the configured authorization profile

  7. ISE returns the cisco-av-pair with role=NETWORK-ADMIN-ROLE of the authorization profile

  8. Cisco DNAC use the RBAC role to give the user access to relevant features and pages

Screen Shot 2019-04-09 at 11.30.03 AM.png

Configurations

We created two users in RSA SecurID AM as dnac_observer and dnac_admin

Screen Shot 2019-04-09 at 11.37.37 AM.png

First Integrate RSA- Authentication manager with Cisco ISE:

Create a new Authentication Agent pointing to Cisco ISE with its details.

This is done under Access > Authentication Agents > Add New:

Screen Shot 2019-04-09 at 11.37.47 AM.png

After we added, it shows up like this:

Screen Shot 2019-04-09 at 11.40.24 AM.png

Now from, RSA Security Console, navigate to Access > Authentication Agents > Generate Configuration File in order to generate the sdconf.rec configuration file:

Screen Shot 2019-04-09 at 11.40.31 AM.png

Use the default values for Maximum Retries and Maximum Time Between Each Retry:

Screen Shot 2019-04-09 at 11.40.39 AM.png

Download the configuration File

Screen Shot 2019-04-09 at 11.40.47 AM.png

The .zip file contains the actual configuration sdconf.rec file, which the ISE administrator needs in order to complete configuration tasks.

As a first part of authentication, we have to generate PIN for each username in RSA-AM.

To do that , Log into the RSA-AM Console-self service using

Log into the above Link as users we created dnac_admin and dnac_observer and generate a Pin for each user.

Now Go to the Cisco ISE

In the Cisco ISE, navigate to Administration > Identity Management > External Identity Sources > RSA SecurID, and click Create:

Upload the sdconf.rec file that was downloaded from the RSA server:

Screen Shot 2019-04-09 at 11.40.57 AM.png

Which shows up like this

Screen Shot 2019-04-09 at 11.41.05 AM.png

Now the Cisco ISE and RSA -AM are successfully integrated

We can have Cisco DNA Center added as a network device with RADIUS or TACACS+ key set under Administration > Network Devices. For this paper, we have configured a network device called DNAC and assigned a device type “DNAC” for ease of policy creation. Cisco DNA center can be added as a network devices for RADIUS/TACACS+

Screen Shot 2019-04-09 at 11.41.13 AM.png

We will now create two authorization profiles, one for an Admin role and one for a Cisco DNAC Observer role.

Create Authorization Profile under Policy > Policy Elements > Results > Authorization > Authorization Profiles.

Edit this profile in such a way that it returns cisco-av-pair with role NETWORK-ADMIN-ROLE

For dnac_admin and OBSERVER-ROLE for dnac_observer users.

NETWORK-ADMIN-ROLE Authorization profile

Screen Shot 2019-04-09 at 11.41.56 AM.png

OBSERVER-ROLE Authorization profile

Screen Shot 2019-04-09 at 11.42.04 AM.png

Now we Create Authentication Policy for Cisco DNAC pointing to RSA-AM under Policy > Authentication Policy

Screen Shot 2019-04-09 at 11.42.11 AM.png

The authentication policy is created to match on Device type DNAC and the identity store that will be checked is RSA SecurID

Create a Policy Under Policy > Policy Sets > Authorization Policy. We create two authorization policies, one for admin role and one for observer role. We are matching on the user name here as a condition for authorization policy evaluation.

Screen Shot 2019-04-09 at 11.42.16 AM.png

NOTE: In the above screenshot the authorization condition is mapped to username and in a production environment, you can change the authorization condition to use AD Group Membership if the users are present on AD.

Once the profiles are created, make sure you have tokens for each users under RSA Security Console.

Configuring Cisco DNAC for RBAC using ISE as the External authentication server

Two factor authentication using RADIUS

Integrate ISE into Cisco DNAC under Settings > Authentication and Policy Servers and enable External Authentication under Settings > Users > External Authentication and point to Cisco ISE. Shared Secret have to match between Cisco DNAC and ISE.

Screen Shot 2019-04-09 at 11.47.18 AM.png

Screen Shot 2019-04-09 at 11.47.44 AM.png

Once the Integration is done, register the RSA Token with RSA token server, this ensures that only user in procession of the token is able to use token

Open the RSA SecurID Token client and enter the pre-set PIN in the RSA SecurID Token client as a first factor of authentication

Screen Shot 2019-04-09 at 11.47.52 AM.png

Which in turn gives you one time token as below which you enter while authentication with the username

Screen Shot 2019-04-09 at 11.47.56 AM.png

Enter the username and one time token on the Cisco DNAC login page.   User passed authentication is allowed access.

This is how two factor authentication is achieved with a combination of PIN + One time token

Verification

We can verify the login from the live logs from Cisco ISE and RSA-AM

Under Cisco ISE Operations > RADIUS > Live Logs

Screen Shot 2019-04-09 at 11.48.02 AM.png

 

For Logs in RSA-AM , check under Home > Authentication Activity Monitor

We can also see that we were able to successfully log in to the Cisco DNAC via respective users

Screen Shot 2019-04-09 at 11.48.09 AM.png

Two Factor Authentication using TACACS+

Under Administration > Network Devices Make sure we have Cisco DNAC and we have shared secret for TACACS+ as well

Screen Shot 2019-04-09 at 11.48.23 AM.png

Then, we create a TACACS+ profile for both users dnac_admin and dnac_observer under Work Center > Device Administration > Policy Elements

Screen Shot 2019-04-09 at 11.48.29 AM.png

Screen Shot 2019-04-09 at 11.48.37 AM.png

Screen Shot 2019-04-09 at 11.48.44 AM.png

Now, we create Authentication and Authorization Policy for those users under

Work Centers > Device Administration > Device Admin Policy Sets

Screen Shot 2019-04-09 at 11.48.55 AM.pngScreen Shot 2019-04-09 at 11.49.00 AM.png

 

NOTE: In the above screenshot the authorization condition is mapped to username and in a production environment, you can change the authorization condition to use AD Group Membership if the users are present on AD.

Once the profiles are created, make sure you have tokens for each users under RSA Security Console. Then, Integrate ISE into Cisco DNAC under Settings > Authentication and Policy Servers and enable External Authentication under Settings > Users > External Authentication and point to Cisco ISE. Shared Secret have to match between Cisco DNAC and ISE.

 

Screen Shot 2019-04-09 at 11.49.10 AM.pngScreen Shot 2019-04-09 at 11.49.16 AM.png

Once the Integration is done, register the RSA Token with RSA token server, this ensures that only user in procession of the token is able to use token

Open the RSA SecurID Token client and enter the pre-set PIN in the RSA SecurID Token client as a first factor of authentication

Screen Shot 2019-04-09 at 11.49.21 AM.png

Which in turn gives you one time token as below which you enter while authentication with the username

Screen Shot 2019-04-09 at 11.49.26 AM.png

Enter the username and one time token on the Cisco DNAC login page.   User passed authentication is allowed access.

This is how two factor authentication is achieved with a combination of PIN + One time token.

Verification

We can verify the login from the live logs from Cisco ISE and RSA-AM

Under Cisco ISE Operations > TACACS > Live Logs

Screen Shot 2019-04-09 at 11.49.35 AM.png

For Logs in RSA-AM , check under Home > Authentication Activity Monitor

We can also see that we were able to successfully log in to the Cisco DNAC via respective users

Screen Shot 2019-04-09 at 11.49.45 AM.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card