Anyconnect with ISE And 2FA with Google Authenticator

Patrickyounes · ‎06-22-2020

Some of the documents are mentioning that there is no direct integration between ISE and GAuth

For example, under one of the cisco community discussions, the below is mentioned.

ISE is not currently integrating directly with Google Authenticator. It might work if you are able to use a 3rd-party RADIUS server to integrate with Google Authenticator and use that in ISE as an identity store of RADIUS token server type, and pass on the whole string (password & verification code) to the 3rd-party RADIUS server, which in turn to Google Authenticator.

Reference: https://community.cisco.com/t5/network-access-control/ise-2-tacacs-device-administration-with-google-authenticator-2fa/td-p/3512735

• Can someone advise if till now there is no direct integration between Cisco ISE and Google Auth For Anyconnect 2FA?

• And If we need to have a 3rd party Radius, can we use FreeRadius?

• And does anyone has the technical steps to do this integration?

ThomasCalis · ‎07-02-2020

We are in the process of selling ISE + Firepower to replace some Fortigate functionality.

Client is using Google Authenticator (GA) at the moment and prefers not to replace this functionality as this would require a change for the users.

As far as I understand GA can be approached on two ways:

- SAML 2.0

- RADIUS with FreeRADIUS intermittent server

Can you confirm GA with SAML 2.0 will work in the following setup:

- Client running Anyconnect Client v4.6+
- connecting with VPN to FTD v6.6+
- FTD authenticating to ISE v2.6+

Thank you!