Contents

Cisco ISE Integration with AuthPoint

Deployment Overview

This document describes how to set up multi-factor authentication (MFA) for Cisco® ISE with AuthPoint as an identity provider. Cisco ISE must already be configured and deployed before you set up MFA with AuthPoint.

Cisco ISE can be configured to support MFA in several modes. For this integration, we set up SAML with AuthPoint.

This integration was tested with Cisco ISE v2.4.0.357.

Cisco ISE Authentication Data Flow with AuthPoint

AuthPoint communicates with various cloud-based services and service providers with the SAML protocol. This diagram shows the data flow of an MFA transaction for a Cisco ISE.

Topology

Before You Begin

Before you begin these procedures, make sure that:

  • End-users can log in to Cisco ISE
  • A token is assigned to a user in AuthPoint
  • You have an AuthPoint identity provider (IdP) certificate

Configure Cisco ISE

To start, you must download the metadata file from the Resources page in the AuthPoint management UI. Once you have that, you can configure Cisco ISE.

From the WatchGuard Cloud web UI:

  1. From the navigation menu, select Configure > AuthPoint. If you have a Service Provider account, you must first pivot to your Subscriber view.
  2. Select Resources.
  3. Click Certificate.

  1. Next to AuthPoint certificate you will associate with your resource, click and select Download Metadata.

    We recommend that you choose the certificate with the latest expiration date.

    The AuthPoint metadata provides your resource, in this case Cisco ISE, with information necessary to identify AuthPoint as a trusted identity provider.

  1. Log in to your Cisco ISE server.
  2. Select Administration > External Identity Sources.
  3. Select SAML Identity Providers. Click Add.

navigate to administration-SAML Id Providers

  1. In the Id Provider Name text box, type a name to identify the identity provider. In our example, we type AuthPoint.

give name of IDP

  1. Select the Identity Provider Config. tab.
  2. Click Choose File and upload the AuthPoint metadata file you downloaded.

upload IDP metadat

  1. Click Submit.
  2. Select Administration > My Devices.

add portal

  1. Click Create.
  2. In the Portal Name text box, type a name.
  3. Expand Portal Settings. From the Authentication method drop-down list, select the identity provider you added. In our example, this is AuthPoint.
  4. Click Save.

device portal settings

  1. Select Administration > External Identity Sources.
  2. Select SAML Identity Provider.
  3. Select the SAML identity provider you added.
  4. Select the Service Provider Info tab.
  5. Click Export to save the Service Provider metadata.

export SP metadata

Configure AuthPoint

Before AuthPoint can receive authentication requests from Cisco ISE, you must specify Cisco ISE as a resource in AuthPoint. You must also assign the Cisco ISE resource to the user group that will authenticate through Cisco ISE.

Add a SAML Resource in AuthPoint

From the AuthPoint management UI:

  1. From the navigation menu, select Resources.
  2. From the Choose a Resource Type drop-down list, select SAML. Click Add.

  1. On the SAML page, in the Name text box, type a name for this resource.
  2. From the Application Type drop-down list, select Other.
  3. In the Service Provider Entity ID text box, type http://<instance>/<id>.This value is copied from the Cisco ISE metadata file.
  4. In the Assertion Consumer Service text box, type ttps://<instance>/mydevicesportal/SSOLoginResponse.action. This value is copied from the Cisco ISE metadata file.
  5. In the Logout URL text box, type https://<instance>/mydevicesportal/SSOLogoutRequest.action?portal=<id>. This value is copied from the Cisco ISE metadata file.
  6. Click Save.

Add an Access Policy to AuthPoint

You must have at least one user group in AuthPoint for authentication with Cisco ISE, and you must assign an access policy for the Cisco ISE resource to that group. If you already have a group, you do not have to add another group.

In the AuthPoint management UI:

  1. Select Groups.
  2. To add a new group, click Add. If you already have a group that you want to use, click the Name of your group to edit it.

  1. In the Name text box, type a descriptive name for the group.
  2. (Optional) In the Description text box, type a description of the group.

  1. In the Access Policy section, click Add Policy.

  1. In the Add Policy dialog box, from the Resource drop-down list, select the resource you want to add an access policy for.
  2. (Optional) To require that users type their password before they authenticate for this resource, select the Require Password Authentication slider.
  3. Select which authentication options users in this group can choose from when they authenticate.

    For SAML resources, if you select more than one authentication option, users must choose one of the available options when they authenticate. For example, if you select OTP and Push users can choose whether to type their OTP or approve a push to authenticate, but you cannot require that they do both.

  1. Click Add.

  1. (Optional) Add one or more safe locations to your group. For more information about safe locations and detailed instructions to add them, see About Safe Locations.
  2. Click Save.

Before you can assign users to a group, you must add them to AuthPoint. You can either manually add user accounts, or import user accounts from your LDAP database. For more information about how to add user accounts, see Add User Accounts.

Test the Integration

To test MFA with Cisco ISE, you can authenticate with the mobile token on your mobile device. You can choose any method (push, QR code, or one-time password).

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

  1. In a web browser, go to the Cisco ISE URL.
  2. Type your email address or AuthPoint user name. Click Next.
  3. If required, in the Password text box, type your password.
  4. For the authentication method, select Push.
  5. Click Send.
  6. Approve the authentication request that is sent to your mobile device.
    You are logged in to Cisco ISE.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search