topic Re: Hi Rahul, in Network Access Control

Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect

albertofdez — Mon, 11 Mar 2019 07:48:11 GMT

Hi,

I have Cisco ISE 2.2.0 installed and running for a bunch of things and everything works perfectly except Palo Alto remote access VPN user validation with the GlobalProtect client.

This works perfectly with the Microsoft NPS Radius, but there is no way to reproduce the conditions and authorization profile to work with Cisco ISE.

Does anyone have the necessary parameters or can someone help me?

Best regards.

I have not integrated them

Rahul Govindan — Wed, 21 Jun 2017 21:38:27 GMT

I have not integrated them both together, but if you are able to get it working with NPS, the same principles should hold true for ISE. What exactly is failing when you have ISE as the AAA server?

Hi Rahul,

albertofdez — Wed, 21 Jun 2017 22:05:03 GMT

Hi Rahul,

In NPS there are created 2 attributes with a specific vendor the 25461, I attach images of how they are created.

I just found Palo Alto website a document, I attached image, to create a new Vendor in Cisco ISE for this manufacturer and the parameters to be defined, but the VSA1 and VSA2 do not seem to match those used by the NPS .

VSA 1 = PaloAlto-Admin-Role
VSA 2 = PaloAlto-Admin-Access-Domain

They look more like access to management than VPN access.

Best regards

I am not sure if I understood

Rahul Govindan — Wed, 21 Jun 2017 22:49:29 GMT

I am not sure if I understood your issue. But it looks like you are on the right track. You have the Palo Alto VSA Dictionary and Attributes on the ISE. Now all you have to do is to have this Attribute mapped to a value (in your case SE-Admin-Access and SANLUCAR) in the Authorization profile. See attached.

Correct, is what I have

albertofdez — Wed, 21 Jun 2017 23:07:26 GMT

Correct, is what I have configured tomorrow I try with the client and I tell you if it works

Thanks

Hi Rahul,

albertofdez — Thu, 22 Jun 2017 11:05:27 GMT

Hi Rahul,

I just tried it and it works perfectly, I had to create a new Radius Vendor called PaloAlto_Vendor and a new Network Device Profile called PaloAltoNetworks to which I added this dictionary.

Then I have associated the 2 PA-500s created in Network Devices with their Profile Name PaloAltoNetworks.

And finally I created an Authorization Profile called Permit_VPN where I added the VSA1 and VSA2 with the parameters of the image.

I hope this is clear, if anyone needs more data or help I will be happy to help.

Best regards.

Glad to heat that it is

Rahul Govindan — Thu, 22 Jun 2017 11:12:40 GMT

Glad to heat that it is working for you. Thanks for reverting back with this information.

Re: Hi Rahul,

andypage1 — Thu, 15 Aug 2019 09:13:03 GMT

hi Alberto

I wondered if you had managed to integrate the Posture assessment capabilities of the ISE into the Solution you have implemented with global Protect.

Also have you had any issues with the solution since you implemented it ?

Andy

Re: Hi Rahul,

Jeffrey Jones — Sat, 13 Jun 2020 05:09:35 GMT

So VSA1 and VSA2, where in globalprotect, as that is not in the client anywhere

Re: Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect

manvik — Sat, 27 Feb 2021 10:21:48 GMT

Have anyone got Globalprotect agent working with Cisco ISE posture module. ie when Remote VPN user connects via Globalprotect ISE posture module kicks and send info to Cisco ISE.

Re: Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect

thomas — Wed, 10 Mar 2021 03:43:01 GMT

ISE Posture is a module in AnyConnect. You would need to use AnyConnect as your VPN agent.

Re: Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect

manvik — Sat, 13 Mar 2021 04:55:56 GMT

You are right, but how to implement Cisco ISE posture for Remote VPN users who are already using PA Globalprotect.