Just to clarify, an RSA token on its own is not 2FA as incorrectly stated above. It becomes a second factor when provided along with another form of authentication e.g. something you know - username/password or something you are - biometric. Providing ad credentials along with a totp is very normal and it’s weird that ISE seemingly cannot do this, where as an ASA can.
... View more