Here are two well-known definitions for two factor and in general multi-factor authentication.
2-factor authentication becomes important --- an authentication process that involves 2 independent means of authenticating the principal. So, we might require that a principal not only possess a device but also know some secret password (often known as a PIN, or personal identification number). Without 2-factor authentication, stealing the device would allow an attacker to impersonate the owner of the device; with 2-factor authentication, the attacker would still have another authentication burden to overcome. (Cornell University)
Authentication can involve something the user knows (e.g., a password), something the user has (e.g., a smart card), or something the user “is” (e.g., a fingerprint or voice pattern). Single-factor authentication uses only one of the three forms of authentication, while two-factor authentication uses any two of the three forms. Three-factor authentication uses all three forms. (DHS – 4300 A directive)
What you know. What you have. What you are.
In general, two factor authentication is a form of strong authentication used in government, industry etc. The two factors can be any of the factors mentioned above but typically it uses user credentials/ Passcode and Token/ Smartcard as two factors.
The goal of the two factor authentication is not to allow an attacker impersonate the owner when the attacker holds the possession of a device (laptop/workstation) etc.
ISE and Two Factor Authentication Scenarios
ISE supports two factor authentication mechanisms using the following methods
External 2FA Identity sources (e.g. RSA Secure ID, Smartcard) or any RADIUS RFC-3865 compliant token server for on or off campus support.
Cisco ASA/ Anyconnect with 2FA Identity sources such as RSA secure ID for remote access/off campus support
Anyconnect NAM (unique chaining scheme) for on-campus.
Note that there are other multi-factor solutions that work with ISE, but are transparent to ISE. For example, a user that unlocks a smartcard with PIN, or enters AD credentials via a biometric reader at desktop, will end up sending credentials to ISE which are not known to have been provided using multi-factor methods.
Here are details of the 2 factor authentication implementation documented for ISE.
(Please click on the link on each item for step by step instruction)
Finally with ASA, ISE can also just be used as authorization to provide access controls to ASA (with ASA configured to performing multi-factor authentication) as in the case of c above.
To summarize, ISE supports authentication mechanism that uses 3rd party two factor authentication service alone, or in conjunction with Cisco ASA server and Cisco Anyconnect client for on/off prem use cases.
ISE also provides authentication chaining and EAP chaining mechanism that chains two different authentication forms that can use two different factors for that. EAP-Chaining is a unique method where the user identity and machine identity are chained together within the same authentication session thereby ensuring that both the identities are tied to the machine that helps you to identify a corporate asset in a secure way.
I have recently replaced my ASA-5506X with a Firepower 1010. I had Microsoft PPTP pass through set up on the ASA, but cannot get it running on the Firepower. I have tried to configure the VPN Client in FDM, but it says I cannot specify an inter...
we have project for both StealthWatch and ISE. Plan is to configure ISE 2.4 patch 9 to pull events through WMI from Windows Server 2016 to ISE and share it with Stealthwatch. We have problems with ISE collecting events from AD. We used Dom...
Hello,I am running two ISE 2.4 nodes in Prim Admin and Sec Admin and PSN enabled on both.I have installed patch 6, and 9 on Prim Admin and only Patch 9 on Sec Admin. As my Sec Admin was build Months later than Prim Admin so I did not install patch 6...
Hello,I have 2 ISE nodes Version 2.4, Running in Primary Admin and secondary Admin and PSN on both setup.I am running Radius, TACACS+ and Guest services.My Radius and Tacacs are working fine.2 Issues I am facing in my guest setup1.In Guest access self reg...
Hello,I am running ISE 2.4, on prim Admin I have installed patch 6, 9 but on sec Admin installed only Patch 9. because my secondary Admin was build months later so I did not install patch 6 on the same.Is there any problem??