Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

Authentication

Go to solution
yohh
Cisco Employee
Cisco Employee

‎11-20-2017 06:56 AM

Hello,

I have a partner asking the following about ISE authentication.

1) Is ISE capable of authenticating through the following methods

- MAC authentication of device

- 802.1x user authentication through external AD server

- Additional authentication with one-time-password

2) If yes, do these 3 methods happen one after the other?

Thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-20-2017 07:29 AM

Yes this is the capability of the network access device for example on the switch You would set up flexible authentication to perform 802.1X 1 and then fall back to Mac auth bypass

On the wireless side it depends on the wireless LAN you can either do Mac auth bypass on one WLAN or 802.1X on another but it doesn’t support both

Not sure if the OTP, you either do one or the other I believe and not both, perhaps someone here knows more if it’s possible

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-20-2017 07:29 AM

Yes this is the capability of the network access device for example on the switch You would set up flexible authentication to perform 802.1X 1 and then fall back to Mac auth bypass

On the wireless side it depends on the wireless LAN you can either do Mac auth bypass on one WLAN or 802.1X on another but it doesn’t support both

Not sure if the OTP, you either do one or the other I believe and not both, perhaps someone here knows more if it’s possible

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎11-21-2017 03:50 AM

Typically authentication is serial and the NAD will only authenticate using one method.  There are exceptions like ASA VPN where two separate auths can be sent for same connection, or different methods to "chain" authentications such as EAP Chaining, CWA Chaining, or Easy Connect Chaining.

OTP is often associated with Two-Factor Authentication (or Multi-Factory Auth) where 2 or more methods are combined into one event.  For example, I enter a PIN or biometric to unlock a one-time passcode.  The passcode is validated by ISE to token server, but the user had to perform multiple verifications to issue the OTP.

Craig

0 Helpful
Customers Also Viewed These Support Documents