topic Re: ISE as dedicated radius in Network Access Control

ISE as dedicated radius

suthomas1 — Sun, 03 Nov 2019 10:33:21 GMT

Hello,

for one of our projeccts, we are looking at using ise as radius primarily for VPN users.

now, what is the case for spending on ISE instead of directly getting ASA firewall talk to MS active directory or ldap.

After all ISE will only be facilatiting communication between asa & active directory for user authentication.

Appreciate all inputs.thanks.

Re: ISE as dedicated radius

alex_dufresne — Sun, 03 Nov 2019 11:38:17 GMT

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

Re: ISE as dedicated radius

suthomas1 — Sun, 03 Nov 2019 22:28:34 GMT

Thank you.

there was also a discussion of using windows nps instead of dedicated radius solutions(eg. ISE).

I have not used windows nps before & have no idea on how good/bad it is for a vpn scenario?

Additionally,i also heard that having the asa directly talk to ldap or windows nps is not considered best security.

Appreciate inputs.

Re: ISE as dedicated radius

hslai — Fri, 08 Nov 2019 17:53:37 GMT

Our team can't comment on any 3rd-party products. I would suggest you to test it yourself and consult the vendor's support if running any issue.

The main issue with connecting AD using an LDAP interface is that it does not scale well. In case you have only one domain controller and one ASA, then it's likely simpler for you to connect ASA directly to AD via LDAP.