I have a customer whom falls under PCI Compliance scrutiny. I was in conversation yesterday with the auditor, and he indicated that I did not have Two Factor authentication set up exactly as it is defined.
What I have configured is that when an admin attempts to authenticate to our router, the router is configured to talk to our TACACS box which in turn queries our Active Directory for authentication. Once authenticated via TACACS, the authenticating admin is prompted for the enable secret password.
The auditor explained to me that this was two examples of "something you know" and realistically would not pass for Two factor authentication.
How can i configure my router(s) for Two factor authentication?