topic Re: ISE and F5 RAS Integration in Network Access Control

ISE and F5 RAS Integration

mgarvie — Thu, 15 Mar 2018 18:03:51 GMT

I am looking to understand what capabilities we have to integrate with F5 Remote Access with ISE providing Authentication and Authorisation services. Customer is using ISE in the wireless network but would like to extend this to their F5 RAS environment. Do we have any examples of this? I am looking to understand what, if anything is possible.

The requirement from the customer is as follows:-

Prior to our call here are some details on our F5 RAS solution, any ideas

around integrating the ISE NAC capabilities would be greatly appreciated.

Design details of the solution:

(Embedded image moved to file: pic48733.gif)

SecureID Authentication

The F5 system was added to customer’s RSA Authentication Manager system and a

RSA SecureID Authentication server called Customer_SecureID was defined on

the F5 system by importing the sdconf.rec file. All users are

initially authenticated by SecureID.

AD Authentication

After the SecureID check, users are next authenticated against the customer's

Active Directory domain. The F5 system binds to Active

Directory using a service account to check credentials. This is

necessary in order for the F5 system to allow users to change expired

passwords.

Client Type Check

The client type is determined by examining the user agent HTTP header

that is part of client requests. If the client is detected to be an

F5 standalone client then functionality branches to provide

network-level access. Anything else is assumed to be a web browser

requiring Citrix access.

Machine Certificate Check

Users with F5 clients must pass an additional check to ensure that they

have an customer machine certificate installed. The machine certificate

checker is a client-side component that is downloaded to end users.

The computer certificate store is searched for entries issued by the

customer’s certificate authority . Any matching certificates are sent to

the F5 system and from there checked using OSCP. Users without a

valid certificate are presented with a warning message and disconnected.

Network Client Access

Client-based users with valid machine certificates are granted network

access. A virtual adapter on their PC is configured with an address

from a pool maintained on the F5 system.

Citrix Access

Users with any client other than a standalone client are directed to the

Citrix system. The F5 APM connects to the Citrix XML service and,

using the credentials stored when the user logged on, authenticates and

reads their list of applications.

The F5 APM system replaces the Citrix Storefront/Web Interface modules,

providing users with a menu of applications through its own user

interface.

When the user clicks on an item on the applications menu, an ICA session

is launched that is proxied through the F5 virtual server.

Re: ISE and F5 RAS Integration

Jason Kunst — Thu, 15 Mar 2018 18:32:19 GMT

Might work with new anyconnect agent that doesn’t require redirect ise 2.2 and higher

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Best to test it out and share your findings as I don’t think anyone has done that

Re: ISE and F5 RAS Integration

Craig Hyps — Fri, 16 Mar 2018 09:47:19 GMT

First let me call out that this is a public forum. Please do not post any information that is deemed customer sensitive or confidential. You have cited a specific organization and security policy so I have edited the names used. We have a separate partner forum used for questions that may require the inclusion of customer-sensitive data, but this question could be asked without divulging customer.

Not sure of Posture is a requirement here, but the current solution is tightly coupled to F5 client usage. It may be better to understand challenges with current setup as I often follow the concept of "if it is not broken, don't fix it". ISE can certainly provide integration with RSA, AD, and machine authentication via certs.

Since mentioned RAS (and assume not mixing with RSA use), is this a remote access VPN setup with access to Firepass and then to APM over VPN, or LAN connection direct to APM? I ask since the VPN termination and auth will happen separately from the APM validation. For example, we have ASA to terminate VPN via certificate, RSA/OTP, and AD prior to getting network access. Authorization can be assigned via ISE.

Assuming this is a LAN connection, ISE could perform some of the initial network authentication through 802.1X using certs, OTP, or AD machine/user auth. It could also integrate via a RADIUS interface to APM (where ISE is RADIUS server) as shown here. Citrix can also be integrated into TS-Agent to our firewalls.

Finally, there were discussions at one time regarding potential for F5 to integrate APM with pxGrid to use ISE session data (proof of authentication and role assignment) to more seamlessly provide secure application access, but not sure F5 has moved on that option.

Need to return to the "what is the problem to be solved" and that will help guide whether it makes sense to offload some of the AAA functions to ISE.

Craig

Re: ISE and F5 RAS Integration

mgarvie — Fri, 16 Mar 2018 17:46:01 GMT

Craig,

Apologies, I posted in the wrong forum as a result of trying to do this quickly. Thanks for the answer. In response to your question, this is F5 Remote Access so yes, VPN connectivity as opposed to LAN.

There isn't a problem as such, the customer is however looking to leverage ISE to the maximum extent possible and would like to perform some NAC actions (not defined in detail yet) if possible.