topic Re: ISE support for VPN users in Network Access Control

ISE support for VPN users

jinapark — Wed, 14 Mar 2018 09:31:55 GMT

Hello Experts!

My customer wants to VPN user AAA using AD+OTP and management approval.

- This is for VPN solution only and applied to all devices including personal devices (laptop, iPad etc) and company-owned device (laptop)

- The approval process from management needs to be done every time of VPN access. Currently, they have VPN solution with AD auth and OTP. They need an extra layer of security with management approval before establishing VPN connection.

What I understand is, the customer can do it RSA-AD authentication and there’s no way we can combine management approval on top of it. Does anyone know if we can combine management approval feature with other methods like AD, RSA, LDAP etc? I only could see that management approval is supported for guest service that self-registered guest request will be sent to the sponsor for approval, and we can't combine it with AD or OTP service, but I would like to check if there's any method we can work around.

Any comments or design would be highly appreciated!

Regards,

Jina

Re: ISE support for VPN users

gbekmezi-DD — Wed, 14 Mar 2018 18:27:23 GMT

This is an odd request. I don’t see how ISE can help you with this. One way you could accomplish this is by creating a portal/web page for the VPN request. Have that page send an email or text to the manager. Then the manager clicks on a link that adds the requestor to a VPN approved group for some amount of time (maybe 10 minutes). Then you can authorize the user based on group membership.

George

Re: ISE support for VPN users

hslai — Thu, 15 Mar 2018 03:48:33 GMT

I agreed with George.

ASA supports multiple authentications so it's possible to have an OTP that only managers have access to and for them to provide the passcodes to the VPN users. Or, some MFA with one factor to send SMS or the like to the managers to accept the requests.

Re: ISE support for VPN users

paul — Thu, 15 Mar 2018 13:30:17 GMT

Just to add to what has already been said. You could craft something with REST API integration as well, but it seems like you are trying to solve what is a non-technical problem.

A person just doesn't get an RSA token on their own. The customer has no management approval required to hand out RSA tokens?

A person doesn't automatically get added to the AD group required for VPN access. The customer has no management approval required to get added to the AD group required for VPN access?