Pricing  Get Quote

Configuring MFA for ISE with RADIUS

This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Identity Services Engine (ISE) product using ManageEngine ADSelfService Plus' MFA for VPN feature.

To enable RADIUS-based authentication for Cisco ISE, the MFA for VPN supports the following authentication methods in addition to the default username and password-based authentication:

  • Push Notification Authentication
  • Fingerprint/Face ID Authentication
  • ADSelfService Plus TOTP Authentication
  • Google Authenticator
  • Microsoft Authenticator
  • Yubico OTP (hardware key authentication)

The RADIUS-based MFA process for Cisco ISE using ADSelfService Plus

RADIUS-based MFA process for Cisco ISE

Configuration process


  • Your ADSelfService Plus license must include Endpoint MFA. Purchase it from the store.
  • Configure your Cisco Firepower Threat Defense (FTD) VPN to use RADIUS authentication.
  • For the RADIUS server, you must use a Windows server (Windows Server 2008 R2 and above) with the Network Policy Server (NPS) role enabled.
  • Enable HTTPS in ADSelfService Plus (Admin → Product Settings → Connection).
    Note: If you are using an untrusted certificate in ADSelfService Plus to enable HTTPS, you must disable the Restrict user access when there is an invalid SSL certificate option in Configuration → Administrative Tools → GINA/Mac/Linux (Ctrl+Alt+Del) → GINA/Mac/Linux Customization → Advanced.
  • In Active Directory, set users’ Network Access Permission to Control access through NPS Network Policy in their Dial-in properties.
  • The Access URL you have configured in Admin → Product Settings → Connection → Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Make sure you have updated the Access URL before installing the NPS extension.
  • In the Windows NPS server, where the NPS extension is going to be installed, set the Authentication settings of the Connection Request Policy to Authenticate requests on this server.

Step 1. Configuring MFA in ADSelfService Plus

  1. Log in to ADSelfService Plus as an admin.
  2. Go to Configuration → Self-Service → Multi-Factor Authentication → Authenticators Setup.
  3. Configure the authentication methods required.

    Configuring multi-factor authentication method

  4. Go to MFA for Endpoints.
  5. Select a policy from the Choose the Policy drop-down. This policy will determine the users for whom MFA for Cisco ISE will be enabled. To learn more about creating an organizational unit or a group-based policy, click here.
  6. In the MFA for VPN Login section, select the checkbox next to Select the authenticators required. Choose the number of authentication factors to be enforced. Select the authentication methods to be used. The authentication methods listed can also be rearranged by dragging and dropping at the necessary position.

    MFA for VPN Login

  7. Click the help icon next to MFA for VPN.
  8. Download the NPS extension using the Download link provided in the pop-up that appears.

    Download the NPS extension

Step 2. Install the NPS Extension

  1. Copy the extension file ( to the Windows server, which you have configured as the RADIUS server. Extract the ZIP file’s content and save it in a location.
  2. Open Windows PowerShell (x64) as administrator and navigate to the folder where the extension files content is located.
  3. Execute the following command:
    PS C:\> .\setupNpsExtension.ps1 Install
    Note: If the NPS extension plug-in has to be uninstalled or updated to newer versions and configuration data, enter Uninstall and Updated respectively instead of Install.
  4. After installation, you will be prompted to restart the NPS Windows service. Proceed with the restart.
  5. Configure a RADIUS client in the NPS service for ADSelfService Plus. Set a shared secret during configuration for future use.

Step 3. Configure Cisco ISE

  1. Navigate to Administration → Network Resources → External RADIUS Servers and click Add.

    Configure Cisco ISE

  2. Enter ADSelfServicePlusRADIUS as the name and enter the following information:
    • Host IP: The hostname or IP address of your NPS server.
    • Shared Secret: Mention the shared secret set during RADIUS client configuration.
    • Authentication Port: 1812 (or whichever port specified in your authproxy.cfg file).
    • Server Timeout: Provide a minimum of 65 seconds to allow sufficient time to complete MFA.
  3. external radius server

  4. Click Save to add the new server.
  5. Navigate to Administration → Network Resources → RADIUS Server Sequence and click Add.

    RADIUS Server Sequence setup

  6. Enter the Name as ADSelfServicePlusRADIUSSequence.
  7. Select the ADSelfServicePlusRADIUS server from the Available list, and click the arrow to add the ADSelfServicePlusRADIUS server to the Selected list. Also, select the Local accounting checkbox.
  8. If authorization settings or other device posturing settings have to be configured with the ISE policies then select the On AccessAccept checkbox. Then go to Advanced Attribute Setting → Authorization Policy. If not, leave the checkbox unselected.

    enable authorization policy

  9. Click Save to apply the change.
  10. Go to Policy → Policy Sets.
  11. Click the drop-down of the policy set to be modified and select ADSelfServicePlusRADIUSSequence.

    Configuring MFA for ISE with RADIUS

  12. Click Save.

Features of ADSelfService Plus

For more information on the product, visit If you have any questions, contact us at

Secure Cisco ISE VPN logins with RADIUS-based MFA

  Download a free trial now!  Request demo

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  • Business Email *
  • Phone *
  • Problem Description *
  • Country
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust