topic Re:Anyconnect and ISE in Network Access Control

Anyconnect and ISE

endpoint — Mon, 11 Mar 2019 03:01:00 GMT

Currently i have setup a ASA 5510, 8.4 as vpn headend, Cisco ACS 4.2 as RADIUS server for AAA (groups in radius server are mapped to AD groups).

Would like to see if i can use ISE to authenticate vpn users, push VPN ACL to vpn users, basically to replace ACS with ISE. we are planning to use ISE for other AAA/posture/policy usages for our wired and wireless clients.

Are there any good docs explaining how to configure ISE to provide aaa for Anyconnect VPN users? I got some basics ISE configured (AD integration, get groups from AD, added ASA VPN and WLC devices into ISE) but missing pars how to basically replace ACS with ISE

Any help in this filed is appreciated.

Regards,

Re:Anyconnect and ISE

Tarik Admani — Sun, 27 Jan 2013 06:28:21 GMT

Hi,

Yes you can use ise to push acls to your vpn clients. Are you using per user acls or dacl for your acls configuration?

All you need to do is note the contents of your acls, and migrate that over in the results section in the policy elements configuration.

You can then place the asa in its own device group, map the network device group and the domain user group and send back the result for vpn access.

Since the ise uses radius accounting to track license enforcement. You will need add a new aaa-server configuration on your asa, under you tunnel group you will have to set the authentication server group and accounting server group to point to ise.

Thanks,

Sent from Cisco Technical Support Android App

Re:Anyconnect and ISE

endpoint — Mon, 28 Jan 2013 15:25:33 GMT

Hi Tarik

Thanks for responce.

I am using per group ACL.

Do you have any good documents you want to share about setting it all up?

Anyconnect and ISE

Naveen Kumar — Fri, 26 Apr 2013 21:17:14 GMT

Hello ,

Please check this document, I hope this helps you:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/acs.pdf