I recently worked on a Cisco ISE installation at a facility that required higher security. They utilized an RSA SecurID server and hardware tokens for their VPN and TACACS+ authentications. Since they were moving from ACS to ISE, we had to add the RSA server to the ISE configuration. That lead the customer asking “Can we use the RSA tokens for authenticating into the ISE GUI?”.
Yes, yes we can. Due to the security protocols they have in place, I was not able to take screenshots of the configuration. I will detail out the steps performed below.
Steps for configuring ISE admin GUI access using RSA SecurID accounts
- Add the RSA server to the ISE deployment.
- Add the server under Administration > Identity Management > External Identity Sources > RSA SecurID
- Set admin access to use the new RSA server for authentication.
- Go to Administration > System > Admin Access > Authentication > Authentication Method.
- For the Authentication Type, set it to Password Based.
- Set the Identity Source (drop down menu) to the RSA server you configured in Step 1.
- Create the admin user.
- Very important note: The username supplied here must match what is configured for a user account on the RSA SecurID server.
- Go to Administration > System > Admin Access > Administrators > Admin Users and click Add.
- Choose Create an Admin User to create a new users or Select from Network Access Users if you have a user account you want to use already defined.
- No matter which option about you choose, on the following screen you need to put a check mark next to External. This configures ISE to send the username and password/token to the external identity source you set in Step 2. Setting this disables all of the password fields because an internal ISE password is not set. It also excludes the account from being automatically disabled if it is inactive.
- Select the Admin Groups to set the access level you want to allow for this user (e.g. Super Admin for full access).
- All other fields, such as email and description, is optional and only for your internal information.
That’s it. Log out of the current session, or open the ISE admin GUI from a different browser, and you will see an Identity Source field (drop down menu) under the Password field. It will be set to the RSA SecurID server you configured in Step 1 by default. Try logging in using the admin user account you created in Step 3. The RSA token will go into the Password field.
You can always fall back to a local admin account by changing the Identity Source on the login page to Internal if the RSA login fails or ISE loses connection to the RSA SecurID server.
ISE 2.3 Administration, Monitoring, Policy Service, pxGrid PRI(A), PRI(M) — VMware_node
ISE 2.3 Administration, Monitoring, Policy Service, pxGrid SEC(A), SEC(M) — Hyper-V_node
There is only tab ( administration ) on the site On Hyper-V_node.
I can’t see monitor/radius_logs.
You are limited on what you have access to on the secondary PAN and the MNT nodes. You will only be able to access the logs and other settings when connected to the primary PAN. This was changed since I believe the release of 2.0. Try failing over the primary PAN persona (services will restart) and you should then see everything on the second PAN.
I ran into an issue with RSA SecurID where if the RSA server is set to push options to the client, the admin login page would have issues and it confuses our admins.
Here is what I mean…
The admin browses to ISE.
Identity Source is set to SecurID.
The admin logs in with his credentials.
ISE then refreshes and asks for username and password again but there is text in the backgroun that says press 1 for push, 2 for token.
The users had to enter their username again and enter “1” in the password to get the push notification. It was awkward.
To go around this awkwardness, I set SecureID to auto push the notifications to the phone for the ISE nodes (we all use that option anyways).
The only issue now is whenever I set the auto push notifications, it does the same for tacacs since we have it using SecurID for MFA as well.