We are trying to authenticate a NAS in 2 level, first against LDAP/AD or internal user repository and second level against a token server. User should first login with LDAP/AD password, then NAS should ask for OTP.
How can we achieve this in ISE?
Thanks in Advance
Solved! Go to Solution.
In my case, I have it working..
I have an External Identity store for AD, and setup a Radius Token server for my MFA server.
I created a "identity store sequence" and applied this in the Authentication (not the authorization) policy.
works like a champ!
That won't work for us, as our use case is not for VPN authentication, but rather for device admin (using Radius, not TACACS). ISE has to be the primary authenticator, but I will keep that in mind if we expand to trying to use MFA for VPN.