RSA MFA integration with Cisco ISE
I have the following question:
I have an RSA MFA environment (Cloud + 2 IDR), where I need to provide a second authentication factor for SSL VPN users (fortinet, checkpoint, ASA cisco, however, the RADIUS server for these platforms is the ISE cisco.
How can I add a second authentication factor for these SSL VPN accounts and that Cisco ISE continues to be the RADIUS server? That is, just add MFA for authentication.
Thank you very much for your time!
- Auth Agent
- Authentication Agent
- cisco ise
- Community Thread
- Forum Thread
- rsa mfa agent
- RSA SecurID
- RSA SecurID Access
Hi mauricio perez - to get additional MFA authentication in your environment you would need to target the RADIUS clients at your IDRs' embedded RADIUS servers.
Please take a look at High-Level Authentication Flow for RADIUS for the Cloud Authentication Service.
Hope that is helpful,
I your case you can configure ISE to radius client to our IDR.
fortinet, checkpoint, ASA cisco used ISE (as radius server) and in over side ISE used RSA IDR as a radius server.
Thank you very much to both of you, I am still in the testing phase of Radius Client. I enabled a Radius Client in the cloud and I tried to generate the connection with a fw and different Radius clients without success. I have followed the RSA documentation but I cannot generate remote user authentication with IDR as a Radius Server.
If you are still having trouble getting a successful RADIUS authentication, have you tried using enabling RADIUS debug to generate logs and use a RADIUS test client like NTRadPing? 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager and 000027040 - How to set PINs and navigate Next Tokencode Mode for RSA SecurID Tokens using NTRadPing will assist you in testing.
If you are still having an issue, please How to contact RSA Customer Support so you can work with a support engineer for assistance.
Thanks to all, I made the implementation of RSA CAS as Radius Server for Cisco ISE (radius client) and in turn, Cisco is radius server for the fw of different vendors, this works perfect with the necessary tuning.
Hi Ted - the link for the "High-Level Authentication Flow" is no longer valid - I'm still trying to figure out how to help my Cisco guys connect to our Authentication Mgr using RADIUS.