topic Re: [ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower in Network Access Control

[ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

Kris Tof — Fri, 14 Feb 2020 16:10:03 GMT

Hello community,

I plan to deploy an architecture as follow :
Anyconnect client<====IPSEC tunnel====> firepower with ASDM<=> ISE + external authentication provider
I am relatively new on ISE and I am trying to understand all interactions between components.

The solution should handle theses multiple authentications :
- machine certificate
- user certificate or credential
- external identity provider for second user authentication (ex: OTP)

1)My first (pre)question is about ISE version. Which is the recommended version to deploy for a fresh new install ?
Version 2.7 has been released since Q4 2019. There are a lot of changes and specially MnT database optimizations. But this version is relatively new.

2) Regarding authentication, I understand that machine certificate is normally used for tunnel establishment. The Firepower then forwards user authentication to ISE. ISE can contact an AD or Radius for first user authentication.
I look at the use case IPSEC with duo. A DUO (or another identity provider) authentication proxy seems mandatory to handle second authentication. Regarding ISE capabilities, I would like to not use an authentication proxy for second authentication.

I have seen in ISE 2.6 admin guide that we can define an SAML IdP as external identity source.
Does ISE can handle SAML requests for second authentication in a use case with anyconnect client IPSEC tunnel and firepower as IPSEC termination ?
And if so, could you describe the authentications steps ? (user portal needed? which component asks external IdP? (firepower, ise,..?)

Re: [ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

Greg Gibbs — Mon, 17 Feb 2020 03:42:19 GMT

1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.

2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:

Guest portal (sponsored and self-registered)
Sponsor portal
My Devices portal
Certificate Provisioning portal

Cheers,

Greg

Re: [ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

hslai — Fri, 21 Feb 2020 04:32:47 GMT

Adding to Greg's...

Duo is mainly cloud-based so auth proxy required to get OTP authenticated. Thus, you may opt for an on-prem OTP provider, instead.

Re: [ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

Kris Tof — Mon, 24 Feb 2020 09:29:53 GMT

Thank you Greg and hslai (and sorry for my late response).

Ok for ISE version 2.6.

For second user authentication, I would like to try avoid the use of a proxy between ISE and external authentication source.

Our cloud provider allows radius or https requests to get push mobile. Proxy radius is used to encapsulate radius request in https flow (more reliable than direct radius request on Internet). That's why I think to SAML.

But according to your answers, I need a proxy.

I am still not familiar with ISE authentications mechanisms.