Cisco Identity Services Engine (ISE) can be configured to use RSA Authentication Manager as an External Identity Source using both Native SecurID and RADIUS authentication protocols. Simple or rule-based authentication policies are used to determine which External Identity Source is applied.
I can remember the day,when I worked on a project in which the customer wanted to utilize hardware tokens and RSA SecurID server for their VPN and TACACS+ authentications in correlation with Cisco ISE.
Since they were migrating from ACS (5.8) to ISE (2.3) , we had to add the RSA server to the ISE configuration.
After a week one of the technicians of that IT-Company called me to ask if they can use RSA tokens in order to authenticate to ISE GUI or not?
My answer was : A HUGE YESSSS !!!!
Here I have listed the order of operations for you to accomplish this task:
1. Add the RSA server to your ISE deployment.
2. Set admin access to use the new RSA server for authentication.
Go to Administration > System > Admin Access > Authentication > Authentication Method.
For the Authentication Type, set it to Password Based.
Set the Identity Source (drop down menu) to the RSA server you configured in Step1
3. Create the admin user.
No matter which option you will choose, on the following screen you need to put a check mark next to External *This tells your ISE to send the username and password/token to the external identity source you set in Step 2. Setting this disables all of the password fields because an internal ISE password is not set. It also excludes the account from being automatically disabled if it is inactive.
Congrats ! Your configuration is done! :)
In order to verify your config you can open the ISE admin GUI from a different browser (anony browser etc.) or just log out of the current session,, then you can see an Identity Source field (drop down menu) under the Password field. It will be set to the RSA SecurID server you configured in Step 1 by default.
Try logging in using the admin user account you created in Step 3. RSA token will be written in the Password field.
You can always fall back to a local admin account by changing the Identity Source on the login page to Internal if the RSA login fails or ISE loses connection to the RSA SecurID server.
Thank you for reading my article and I hope it was informative for you!
Author: Mike Ghahremani
Editor : Jimmy Harold
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are property of their respective owners in the Austria or other countries.
All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.
Use of these names, logos, and brands does not imply endorsement.
The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other comany. Pheniix runs as an independent blog.