Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3656
Views
0
Helpful
5
Replies

Cisco AnyConnect TWO-factor authentication with Cisco ISE (AD + One Time Password)

rashish135@yahoo.co.in
Level 1
Level 1

‎02-05-2018 05:28 AM - edited ‎02-21-2020 10:44 AM

I required help to configure Cisco Any connect VPN two factor authentication with ISE. ISE have to authenticate users with Domain credentials as primary and One time Password (OTP) which ISE needs to send extracting phone information from AD.

 

Basically when user try to connect Cisco AnyConnect, ASA will ask radius authentication to ISE 2.2. ISE will verify the login credentials to domain controller and once user authentication pass, it should prompt for OTP as second factor authentication at the same time ISE have to send SMS to user mobile number which it can extract from domain controller.

 

Requesting you to help on implementing this solution.

 

Regards

Ashish Shah

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎02-05-2018 02:47 PM

Hi

What you're requesting is having ISE as otp server right?

Right now, there's no such option, no OTP generator.

You need to have an OTP server linked with ISE as external radius server.

This OTP will check with ISE for credentials verification and will request an otp.

You have paid solution like duo security or free solution like freeradius with Google auth

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rashish135@yahoo.co.in
Level 1
Level 1
In response to Francesco Molino

‎02-05-2018 09:12 PM

Hi

 

Thanks for the reply.

 

I am bit confused. Basically then how, ISE sends SMS for Guest portal.

 

We have OTP server as well, so how to set up Cisco ISE authentication policy for two factor authentication? 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rashish135@yahoo.co.in

‎02-06-2018 08:21 AM

ISE is capable in sending SMS using a SMS gateway for a fix message for guest authentication but doesn't have any OTP generator available for radius authentication.

What's your internal OTP server?
You authentication policy should be validated through an external radius that'll be your OTP server.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rashish135@yahoo.co.in
Level 1
Level 1
In response to Francesco Molino

‎02-07-2018 09:10 PM

Hi

 

We have some third party OTP server with Windows Radius which we will be using now as an authentication server. So not involving ISE at all in authentication process.

 

Will there any configuration required related to 2 factor authentication on Cisco ASA? Currently i will be planning to do following tunnel-group configuration.

 

tunnel-group AnyConnect-Test type remote-access
tunnel-group AnyConnect-Test general-attributes
authentication-server-group RADIUS
default-group-policy AnyConnect
tunnel-group AnyConnect-Test webvpn-attributes
group-url https://test.xyz.com/Remote-VPN enable

 

Regards

Ashish Shah

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rashish135@yahoo.co.in

‎02-08-2018 06:02 PM

Nothing to do on ASA, except the radius server for authentication that seems it has been already done.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents