Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9015
Views
0
Helpful
9
Replies

ISE two factor authentication with different identity Store

Go to solution
vaibhgupta157
Level 1
Level 1

‎03-21-2018 12:22 AM

Hi All,

We are trying to authenticate a NAS in 2 level, first against LDAP/AD or internal user repository and second level against a token server. User should first login with LDAP/AD password, then NAS should ask for OTP. 


How can we achieve this in ISE?


Thanks in Advance


Regards,

Vaibhav

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vaibhgupta157
Level 1
Level 1
In response to don.click1

‎05-31-2018 03:32 AM

No, this scenario is not supported.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎03-21-2018 10:01 AM

Here are some options for 2FA with ISE:

Two Factor Authentication on ISE – 2FA on ISE

-Hari

0 Helpful

Go to solution
vaibhgupta157
Level 1
Level 1
In response to hariholla

‎03-27-2018 05:30 AM

Hi Hari,

Thanks for reply.

I have seen this thread. But this use-case is not listed. I have put my requirement as attachment.

Please confirm whether this is possible with ISE.

attach.JPG
Preview file
33 KB
0 Helpful

Go to solution
don.click1
Level 4
Level 4

‎05-30-2018 12:13 PM

I have a very similar requirement - instead of NAS, we are using an ASA for VPN access. (and our token server is Imprivata)

did you ever get this working?

0 Helpful

Go to solution
vaibhgupta157
Level 1
Level 1
In response to don.click1

‎05-31-2018 03:32 AM

No, this scenario is not supported.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vaibhgupta157

‎05-31-2018 02:59 PM

moved to anyconnect team as well to see if they have further comments since its up to ASA and anyconnect to handle authentication piece

0 Helpful

Go to solution
don.click1
Level 4
Level 4

‎05-31-2018 04:34 PM

In my case, I have it working..

I have an External Identity store for AD, and setup a Radius Token server for my MFA server.

I created a "identity store sequence" and applied this in the Authentication (not the authorization) policy.

works like a champ!

0 Helpful

Go to solution
Steve Talbert
Level 1
Level 1
In response to don.click1

‎08-28-2018 12:56 PM

How is it using the sequence to perform two levels of authentication as opposed to just passing it from AD?

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to Steve Talbert

‎08-29-2018 08:45 AM

ISE support MFA using the products listed here.

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

Recently I implemented ISE with Azure MFA which isn't in the supported
list. I am managed to do this by making the NAD (which is ASA) controlling
it. ASA will authentication with AD which performs MFA with Azure in the
backend then ISE will perform authorisation after successful authentication
(using authorize-only feature). Azure MFA used MS Authenticator mobile APP
as 2nd authenticator
0 Helpful

Go to solution
Steve Talbert
Level 1
Level 1
In response to Mohammed al Baqari

‎08-29-2018 09:02 AM

That won't work for us, as our use case is not for VPN authentication, but rather for device admin (using Radius, not TACACS).  ISE has to be the primary authenticator, but I will keep that in mind if we expand to trying to use MFA for VPN. 

0 Helpful
Customers Also Viewed These Support Documents
Top