MFA with WLAN
We need to enable MFA on our Cisco Wireless LAN, i was checking if this is compatible with RSA CAS on RSA Ready, unfortunately nothing is mentioned regarding the new authentication methods(Biometric or push to approve).
Could you please advise on that.
- Cloud Auth
- Cloud Authentication
- Cloud Authentication Service
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
One way to view this question is, where do you put the RSA agent? If you are planning to put the Authentication agent on your Windows platform, to authenticate as the Windows platform connects to a wireless network, you would need the Windows MFA agent in order to authenticate against the RSA SecurID Access cloud, which can be found here
If you only needed to authenticate with a token passcode against RSA SecurID Authentication Manager, you could use the Authentication Agent for Windows, which can be found here
If the Cisco Wireless Access is authenticating users for Wireless access, then the RSA Authentication agent is not on Windows it is on the Cisco, which means you need to look for a Cisco Partner Guide for that particular product to integrate to RSA 2-factor or multi-factor authentication. You would need to search RSA Link for your particular Cisco Product Partner Guide.
What we are looking for here is to enable MFA while users are trying to access the WLAN which is managed by a Cisco WLC.
I have already checked the RSA Ready document Cisco Wireless LAN Controller WLC 2100 and 4400 - RSA SecurID Access Standard Agent Implementation G..., however, its only mentioning the integration with authentication manager using ODA or software tokens, nothing is mentioned regarding the RSA cloud authentication service by using the new authentication methods (Biometric or push to approve).
The Implementation guide is from 2013, so that definitely means it uses the original UDP Agent API to Authentication Manager. I don't think you can use this Cisco Product with the Cloud Access. Unless anyone else has a different approach, but you get push to approve and Bio-metric from CAS, not from AM
im looking for the integration with RSA CAS( fully cloud solution) and not the hybrid one.
My question here if this integration is possible and if we can use the authentication methods which you mentioned while accessing our WLAN.
Ted pointed out that AM 8.4 P4 and above can leverage PIN+Approve on a CAS registered device if your AM is integrated with CAS and the IDR.
You can read about it under Patch 4 New Features in the AM readme for any patch higher than p4. See
Authenticate with a Push Notification to Your Mobile Device; No Agent Updates Required
So Cisco sends the authentication to AM, and AM talks to CAS to check the Push to Approve and responds back to Cisco whether to grant access or not.
So in order to move with such integration radius should be implemented between Cisco WLC and our AM, which the AM then proxy the authentication request to the CAS for MFA capabilities?
Could you please assist me on how the association will happen when a client is trying to connect to a WLAN.
If the Cisco device uses RADIUS then you could target your Authentication Manager's RADIUS server and use the AM->Cloud Authentication Service (CAS) capability discussed above.
Or you could target the RADIUS client at our Identity Router (IDR) virtual appliance (IDRs contain a RADIUS server) which would forward the request to the Cloud Authentication Service.