cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2893
Views
0
Helpful
5
Replies

ACS 5.2 TACACS+ and two factor authentication?

cybrsage
Level 1
Level 1

I am trying to wrap my head around this topic and failing.  I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?

More info:

Users from unconnected AD domains will be connecting to the routers and switches.

There is a certificate server available to generate certificates.

SSHv2 is the current login protocol.

Thanks!

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Without  RSA, I don't see a way to accomplish this.

With tacacs all you can have

username:xxxxxx

password:xxxxxx

ciscoasa>enable

password:xxxxxx

above you are using 2 password login and enable.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

Without  RSA, I don't see a way to accomplish this.

With tacacs all you can have

username:xxxxxx

password:xxxxxx

ciscoasa>enable

password:xxxxxx

above you are using 2 password login and enable.

Jatin Katyal


- Do rate helpful posts -

~Jatin

That is what I was coming up with, but I was hopeful someone would say "you can do this...".

I see that I can setup more than one database to authenticate against and I can use certificates...but Cisco's TACACS stops when it gets the first OK (like an access list does), so if I use a certificate it will not prompt for a username and password if it finds the certificate first and vice-versa.

Sorry to tell you the true story

Could you please explain what is your end goal? What all devices are involved in your setup and what kind of authentication is this?

Jatin Katyal


- Do rate helpful posts -

~Jatin

The IRS demands two factor authentication for any system which touches specific kinds of data, such as social security numbers.  Just routers and switches.   I was hoping to do with without spending money - but it appears I am out of luck on that front.

      

I will keep this thread open for a bit just in case someone else has any ideas, otherwise I will make your as the correct answer.

sure

Jatin Katyal


- Do rate helpful posts -

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: