MFA for Cisco ISE
Cisco ISE is the policy brain for network access — VPN, 802.1X, and TACACS+ device administration all funnel through it. ISE handles authentication and authorization, but adding a phishing-resistant second factor across every policy set is its own project. Authnull integrates as an external identity/RADIUS source so ISE can call out for MFA without you rebuilding policy. You register Authnull as an external RADIUS server, reference it from the relevant policy sets, and a factor is enforced on the access methods you choose.
Cisco ISE forwards the login; Authnull adds the factor.
ISE forwards authentication to Authnull as an external RADIUS server; Authnull validates the primary identity, challenges for the factor, and returns the result to ISE, which applies its authorization policy. Keep your existing ISE policy sets — you are adding a step, not replacing them.
Configure MFA for Cisco ISE
Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 25 minutes.
Add Authnull as an external RADIUS server
Register the Authnull connector as an external RADIUS server in ISE with the shared secret.
Create a RADIUS server sequence
Build a server sequence that includes Authnull so policy sets can reference it.
Reference it from the policy set
In the relevant policy set, use the server sequence so the MFA step runs for that access method (VPN, 802.1X, or device admin).
Test against a NAS
Authenticate from a covered device and confirm ISE shows the Authnull step and the factor challenge in Live Logs.
Closes the MFA gap auditors look for
Enforcing MFA on Cisco ISE gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.
Add MFA to Cisco ISE — free to start.
Spin up Authnull, point Cisco ISE at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.