cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10837
Views
5
Helpful
5
Replies

Cisco ISE TACACS+ with RSA Securid and AD integration

Nathan Falcon
Cisco Employee
Cisco Employee

We'd like to control device TACACS authorization with AD Users and Groups while using RSA tokens for authentication.  Does ISE support the ability to support the combination of AD Username and RSA Token passcode when using TACACS?


ex:

1)      Login to the network device and prompted for username

2)      Username: <AD user>

3)      Password: <RSA Passcode>

          Authorize user based on assigned AD Group.


   

1 Accepted Solution

Accepted Solutions

Nidhi
Cisco Employee
Cisco Employee

This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and  Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

You can also do AD+OTP authentication by integrating the token server with AD

Thanks,

Nidhi

View solution in original post

5 Replies 5

Nidhi
Cisco Employee
Cisco Employee

This has been explained here - Two Factor Authentication on ISE – 2FA on ISE and  Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

You can also do AD+OTP authentication by integrating the token server with AD

Thanks,

Nidhi

west33637
Level 1
Level 1

Hello Nathan. How does this work? ISE will need to have the RSA AM configured as an external identity source in the authentication policy. where will ISE get the AD group info of the authenticating user in order to configure authorization policies against?

Does the RSA pass AD group information to ISE for the purpose of authorization?

Hello
I want to know the answer :"Does the RSA pass AD group information to ISE for the purpose of authorization"
Because I have a problem with autorization .
Authentication pass with RSA , but Authorization fail with : "subject not found in applicable Identity store""
( Logs on RSA server says: Authentication method success)
So the question is: Does the ISE makes an AD access to verify the AD-group of the user , or does ISE uses the answer of the RSA to match the user to the AD-Group. ?

Michel

You need to turn in identity caching under your RSA definition.


Hello Paul

Great..! You directly found the solution.
In fact , this parameter "identity caching" is new. It doesn't exist with version 2.2. So doing a migration cause the problem, because it is not checked during the upgrade !.

So I resume: When the pb is : RSA Autorisation fail but RSA Authentication pass, and if you find in the autorisation step the line
   15013 Selected Identity Source - RSA SecurID
   24558 User cache is not enabled in the RSA identity store configuration - RSA SecurID
   22016 Identity sequence completed iterating the IDStores
   22056 Subject not found in the applicable identity store(s)
The solution is to enable "Identity caching": in
External id source: RSA secureID > tab Authentication Control:

Many thanks for your help !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: