2 Replies Latest reply: Jan 12, 2018 11:51 AM by richlucht1978 RSS

MFA for Cisco switches and routers




We currently use ISE 2.2 and the radius protocol to SSH into our network gear.  We now have a requirement to make that access multi-factor authentication.  We are also standing up an azure multi-factor authentication server for Cisco anyconnect.  Is there a way i could use that azure multi-factor server to get the desired results?  Also I have been messing around with DUO auth proxy.  has anyone had success using this.  I am getting some traffic to ISE and seeing some info on the log of the DUO authproxy.  I am getting either a failed password or invalid key on ISE and the log states [RadiusClient (UDP)] dropping packet from - response packet has invalid authenticator.  DUO says the following.


It looks like the primary authentication to the radius server is timing out because it looks like its looks for a specific authetnicator that is sending back ''response packet has invalid authenticator'' which means..

This usually occurs at the later stage when the EAP message is attached. The first RADIUS packet of the 802.1x session does not include the EAP message; there is no Message-Authenticator field and it is not possible to verify the request, but at that stage, the client is able to validate the response with the use of the Authenticator field.

I would check the radius server settings to see if this might be enabled and looking for anykind of EAP or 802.1x information.