Re: Cisco Secure Network Analytics (SNA) MFA configuration.

ggambuti · ‎09-12-2023

Hi, After configuring Cisco Stealthwatch (ver. 7.4.2) in my network, I need to give access to multiple account; the way I want to do this is via the Active Directory profile that the user already has. For security reasons I've been asked to provide a 2FA or MFA.

I have access to Google Authenticator and FortiAuthenticator, is it possible to use one of these as a 2FA? If yes, then how?

At the moment the access is via a Radius server configured on the Domain Controller, Is there a better way? do I need to use a different method to implement 2FA?

Thank you in advance for any help.

Milos_Jovanovic · ‎09-21-2023

Hi @ggambuti,

Stealthwatch can use RADIUS, TACACS+ or LDAP as an external AAA. I've done implementations in which I've directed Stealthwatch to ISE, and ISE was integrated with MFA (Duo), so ISE was basically doing all the heavy lifting in the backed. If you can achieve something similar with your deployment, that should be the way forward. I don't know how these MFA systems work in the backend, but you need something to control authorization also, upon successful authentication, which I believe can't be ahieved with Google Authenticator.

Kind regards,

Milos

ggambuti · ‎09-21-2023

Hello @Milos_Jovanovic,

thank you for your input.

Unofrtunately I don't have access to an ISE, the only thing I can use is the ADFS or the FortiAuthenticator, that is currently not working. I'm trying to find a workaround to use it as SAML SSO to get the Token, but it gives me a "500 Internal Error" when using the FortiAuthenticator as a Service Provider.