Showing results for 
Search instead for 
Did you mean: 
Cisco Community November 2020 Spotlight Award Winners

Two Factor Authentication on ISE – 2FA on ISE





Here are two well-known definitions for two factor and in general multi-factor authentication.


2-factor authentication becomes important --- an authentication process that involves 2 independent means of authenticating the principal. So, we might require that a principal not only possess a device but also know some secret password (often known as a PIN, or personal identification number). Without 2-factor authentication, stealing the device would allow an attacker to impersonate the owner of the device; with 2-factor authentication, the attacker would still have another authentication burden to overcome. (Cornell University)


Authentication can involve something the user knows (e.g., a password), something the user has (e.g., a smart card), or something the user “is” (e.g., a fingerprint or voice pattern). Single-factor authentication uses only one of the three forms of authentication, while two-factor authentication uses any two of the three forms. Three-factor authentication uses all three forms. (DHS – 4300 A directive)




    What you know.                                                      What you have.                              What you are.


In general, two factor authentication is a form of strong authentication used in government, industry etc. The two factors can be any of the factors mentioned above but typically it uses user credentials/ Passcode and Token/ Smartcard as two factors.

The goal of the two factor authentication is not to allow an attacker impersonate the owner when the attacker holds the possession of a device (laptop/workstation) etc.


ISE and Two Factor Authentication Scenarios

ISE supports two factor authentication mechanisms using the following methods

  1. External 2FA Identity sources (e.g. RSA Secure ID, Smartcard) or any RADIUS RFC-2865 compliant token server for on or off campus support.

         ( Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco)

  1. Cisco ASA/ Anyconnect with 2FA Identity sources such as RSA secure ID for remote access/off campus support
  2. Anyconnect NAM (unique chaining scheme) for on-campus.


Note that there are other multi-factor solutions that work with ISE, but are transparent to ISE. For example, a user that unlocks a smartcard with PIN, or enters AD credentials via a biometric reader at desktop, will end up sending credentials to ISE which are not known to have been provided using multi-factor methods.


Here are details of the 2 factor authentication implementation documented for ISE.


(Please click on the link on each item for step by step instruction)

    a. User authentication: Using Passcode and token


     b. Device Administration: Government issued PIV or CAC cards using PIN and certificates


        Pragma Fortress CL SSH Client (RFC6187 compliant)

        Training available in dcloud .

        Using DUO with ISE 2.3 and ACS 5.X for 2FA Cisco Network Admin Access


     c. User + Machine authentication chaining: EAP-chaining with Anyconnect and ISE


For two factor using web authentication ISE integrates with

   a. Symantec Validation ID Protection


     b. Azure AD with MFA with SAML 2.0 SSO (at ISE end-user-facing webauth portals if the primary auth is form-auth authentication).


     c. Authentication chain( using CWA): Certificate/user credentials + Web portal(central web authentication)



  1. ASA with ISE using user certificate and RSA secure ID for authentication
  2. ASA with ISE for two factor authentication using Safenet authentication service
  3. ASA for two factor authentication(ISE can be used for authorization here)
  4. Azure for 2FA, as a RADIUS token server for ISE(Thank you Richard Lucht) and with Anyconnect VPN


Finally with ASA, ISE can also just be used as authorization to provide access controls to ASA (with ASA configured to performing multi-factor authentication) as in the case of c above.



To summarize, ISE supports authentication mechanism that uses 3rd party two factor authentication service alone, or in conjunction with Cisco ASA server and Cisco Anyconnect client for on/off prem use cases.


ISE also provides authentication chaining and EAP chaining mechanism that chains two different authentication forms that can use two different factors for that. EAP-Chaining is a unique method where the user identity and machine identity are chained together within the same authentication session thereby ensuring that both the identities are tied to the machine that helps you to identify a corporate asset in a secure way.


Thanks for updating the document and adding the Azure MFA link, but attached doco talks about SAML

more over i am expecting the two factor authentication (since MFA is also radius) intefration with ISE for wired / wireless and anyconnect users

Cisco Employee

I will update the community site when I have the doc. Essentially MFA will be using SAML. This can be used as a reference to configure Azure. Will add a note in the community site.

2FA is independent of media. If you are going to use Anyconnect, it depends on what module is being used. The list would cover examples of 2FA that are documented with ISE.



@Jai Singla, I have tested MFA with Azure without SAML, just add is as a radius server.

Works fine for me.

Cisco Employee

Just a quick note.

From ISE point of view, it would work as long as the authentication responses received within the session timeouts, besides the current constraint on ISE SAML 2.0 implementation in insisting the primary auth to be urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Cisco Employee

Good morning, do we maintain a list of 2-Factor auth applications (ex. Google Authenticator) that are supported or that can be used with ISE?


I am in the lab testing certificate authentication in ISE 2.2 p5, and 2 factor authentication on wireless only.  Can certificates be used as authentication followed by SecurID, or is the only way on wireless using a certificate authentication other than web redirect?  In production we currently use User + Machine authentication chaining for laptops, and MDM for mobile devices.  Was hoping we could have a more simple approach for all with certificate authentication.would be appreciated.

Any feedback and guidance would be appreciated.


I have also tested used Azure MFA as a Radius server.  Worked great for Cisco devices and anyconnect using either token or push notifications.  I could only get push notifications to work with non cisco devices.

Cisco Employee

Hi Jeffrey,

The above is a list we have currently. ISE in general supports RSA and Radius token that is RFC compliant.  You can find the compability information in ISE compatibity guides. That said there are other 2FA vendors who validated ISE with their product. This is a quick compilation of those.

Cisco Employee

Thank you for the feedback. I added the link as per your suggestion and updated the site.

Cisco Employee

Hi Darren,

Are you looking for 2FA or cert authentication? In any case, please ask your questions in ISE community if not already

Cisco Employee

Documents states, " RADIUS RFC-3865 compliant token server"

I believe that s/b RFC-2865?


I am  not able to access the details instruction for the below option when i click the link it redirects to the cisco live site.


c. Authentication chain( using CWA)Certificate/user credentials + Web portal(central web authentication)


Could you please provide the correct documentation link. 


I am using Cisco ISE 2.2 version where the Symantec VIP setting are not relevant. Could you please let me know how to achieve this in ISE 2.2 


 a. Symantec Validation ID Protection





Can we add OTP/2FA for web auth with sponsored access? The client wants to do OTP after user logs in with the sponsored guest login. It will send the OTP via email or SMS to the IT admin.


Thank you.

Cisco Employee
Not supported

Once a sponsor approves or creates an account then the user gets notified via email or sms and is allowed access. There is no way to send another credential again

Why do you need this? Isn’t restricting users ability to login until receiving credentials on their cell phone enough?
Content for Community-Ad