Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6915
Views
0
Helpful
3
Replies

ISE integration with RSA

jdal
Cisco Employee
Cisco Employee

‎02-14-2018 08:43 AM

Hi,

Two questions regarding RSA integration:

1) In ISE, there are two way of integrating to the RSA server, either by using Native SecurID protocol or RADIUS protocol.

In my customer, the ISE admins couldn't get a sdconf.rec from the RSA admins so they have configured the integration via the RADIUS protocol. Is there any drawbacks?

2) They are actually planning to use OTP as an inner method of EAP-FAST.

In this case, it looks like we can configure it in two different ways, what is the difference between a "password" and a "token"?

Screen Shot 2018-02-14 at 17.38.29.png

Thanks

0 Helpful
3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

‎02-14-2018 12:49 PM

Hi,

For 1, please check Oncampus RSA authentication section in

Two Factor Authentication on ISE – 2FA on ISE

For 2, Usually inner-methods such as MSCHAP use passwords that doesn't change unless there is a expiry period.

OTP is a one time password mechanism to support variety of servers such as OTP servers, RADIUS servers etc, idea is to generate one time password using a token which is different everytime you authenticate. EAP-GTC is an inner eap method supporting this.

Hope it helps.

Thanks

Krishnan

0 Helpful

jdal
Cisco Employee
Cisco Employee
In response to kthiruve

‎02-14-2018 01:08 PM

1. The link is pointing to the RSA implementation guide. I had already seen this document earlier. It explains the two ways of configuring the integration with ISE but not what are the differences. To rephrase my question, what are the benefits (if any) of integrating the server as a RSA Identity Sources instead of RADIUS Token Identity Sources ?

2. I'm pretty familiar with the different EAP types and the different authentications method. The question is what is the difference in NAM behavior when you configure "Authenticate using a password" with EAP GTC and "Authenticate using a token and EAP-GTC". That sounds like two redundant options.

Why do we have the choice for the last option? The token could also be considered as a password (yes it is changing every time but that is transparent for NAM)

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to jdal

‎02-14-2018 01:48 PM

AnyConnect Admin Guide on NAM EAP-GTC says,

Neither the Network Access Manager, the authenticator, nor the EAP-GTC protocol can distinguish between password and token code. These options impact only the credential’s lifetime within the Network Access Manager. While a password can be remembered until logout or longer, the token code cannot (because the user is prompted for the token code with every authentication).

0 Helpful
Customers Also Viewed These Support Documents