Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3119
Views
0
Helpful
6
Replies

how can cisco ise integrate with windows server ?

Go to solution
jewfcb001
Level 4
Level 4

‎05-11-2020 11:49 PM

how can cisco ise integrate with windows server for windows login and use 2 factor authen via cisco ise ? 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jewfcb001
Level 4
Level 4
In response to thomas

‎05-14-2020 04:13 AM

@thomas  

Thank you for your information .  I already update to the customer . I recommend they . They can choose Cisco DUO or Google Authenticator etc .. I think it's the best way for this solution. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jewfcb001
Level 4
Level 4

‎05-12-2020 12:38 AM

Update
how can Remote desktop authentication with Cisco ISE ?
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jewfcb001

‎05-12-2020 01:13 AM

Let's turn that question around and ask, does Windows Server have any reason to use RADIUS for anything? I don't believe it has a RADIUS interface for any kind of authentication. If it does, then any RADIUS server can be used. 

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to Arne Bier

‎05-12-2020 01:23 AM

Thank you for answer . 

 

I found some post about Remote desktop authentication via cisco ise but I confused about this function . 

Can you explain for more detail ?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jewfcb001

‎05-12-2020 03:26 AM

Perhaps you can share the link that you are referring to.

 

A quick google search reveals that there is an RD Gateway that allows remote users to access the RDP services and this is coupled with a second factor authentication. That's where the RADIUS integration comes in. I don't fully understand it myself - but it seems that the MFA setup makes a RADIUS request to the RADIUS server (NPS/ISE whatever) and the RADIUS server has to authenticate the MFA request. If successful, then the MFA sends the SMS or notification to the user's mobile device. I don't believe it requires any specific ISE functionality.  Microsoft have documented all the gory details here and they mention their own NPS server in the document - but I reckon ISE could also do the job.

 

 

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-12-2020 02:57 PM

I don't understand the exact scenario you are asking about since you were not detailed in your question.

1) Can ISE integrate with Windows Server: This is a general AD integration question. Yes, it if is an Active Directory domain controller, ISE can join the domain to use AD as an Identity Store/server for authenticating users.

2) Can cisco ise integrate with windows server for windows login: This sounds like a user login/network access control question using 802.1X and RADIUS. ISE will only authenticate domain computer or domain servers if 802.1X is enabled. This is extremely rare for servers since they are usually remotely managed and Windows RDP doesn't generate an 802.1X Login event.

3) Windows login and use 2 factor authen via cisco ise:  ISE can authenticate a user doing a Windows login using 802.1X against Windows Active Directory if you configure the Windows wired supplicant (Wired AutoConfig Service). However 2 factor authentication with 802.1X is not currently possible.

4) use 2 factor authen via cisco ise: if 2 factor is the most important thing, you may use 2 factor authentication using a Self-Registered Guest web portal in ISE with a SAML Identity Provider that offers 2FA/MFA.

0 Helpful

Go to solution
jewfcb001
Level 4
Level 4
In response to thomas

‎05-14-2020 04:13 AM

@thomas  

Thank you for your information .  I already update to the customer . I recommend they . They can choose Cisco DUO or Google Authenticator etc .. I think it's the best way for this solution. 

0 Helpful
Customers Also Viewed These Support Documents