https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4303246#M565948 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/338251">@Philip Badhams</a>&nbsp;</P><P>&nbsp;yes,&nbsp;<STRONG>ISE</STRONG> is required to integrated with <STRONG>AD</STRONG>&nbsp;in <STRONG>External Identity Sources &gt; Active Directory</STRONG>... on the link that you provided search for <STRONG>Cisco ISE</STRONG>, take a look at the <U>screenshot</U> related to <STRONG>RADIUS &gt; Live Logs</STRONG>, look at the <STRONG>Steps</STRONG>, <EM>24402 User Authentication against Active Directory succeeded</EM>.</P><P>&nbsp;</P><P>Hope this helps !!!</P><P>&nbsp;</P> Mon, 08 Mar 2021 15:16:46 GMT Marcelo Morais 2021-03-08T15:16:46Z https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4303119#M565939 <P>Hi All</P><P>I am trying to understand if it is possible to send password expiry notifications / reset password for RA VPN Users.</P><P>&nbsp;</P><P>The current setup uses 2FA as follows:</P><P>1) User connects to FTD Outside Interface</P><P>2) The FTD passes the request via RADIUS to ISE</P><P>3) ISE, (which is integrated into Active Directry) queries the account via LDAP</P><P>4) ISE returns the result to the FTD</P><P>5) The FTD connects to the 2FA server and prompt the user for a token code.</P><P>6) The user is granted access.</P><P>&nbsp;</P><P>My thinking is is not currently possible in the above setup as the FTD / FMC, does not talk directly to AD, instead it communicates via ISE.</P><P>&nbsp;</P><P>I have been trying to follow the below configuration to test the theory</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html</A></P><P>&nbsp;</P><P>What I cannot tell from the above guide is wether or not the ISE is required to integrate with Active Directory (as an external identity source) for it to work? The guide only shows setting up the realm in the FMC.</P><P>&nbsp;</P><P>Any clarification would be appreciated.</P><P>&nbsp;</P><P>Thanks</P> Mon, 08 Mar 2021 12:19:16 GMT https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4303119#M565939 Philip Badhams 2021-03-08T12:19:16Z https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4303246#M565948 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/338251">@Philip Badhams</a>&nbsp;</P><P>&nbsp;yes,&nbsp;<STRONG>ISE</STRONG> is required to integrated with <STRONG>AD</STRONG>&nbsp;in <STRONG>External Identity Sources &gt; Active Directory</STRONG>... on the link that you provided search for <STRONG>Cisco ISE</STRONG>, take a look at the <U>screenshot</U> related to <STRONG>RADIUS &gt; Live Logs</STRONG>, look at the <STRONG>Steps</STRONG>, <EM>24402 User Authentication against Active Directory succeeded</EM>.</P><P>&nbsp;</P><P>Hope this helps !!!</P><P>&nbsp;</P> Mon, 08 Mar 2021 15:16:46 GMT https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4303246#M565948 Marcelo Morais 2021-03-08T15:16:46Z https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4307438#M566143 <P>Is there a reason why both FMC and ISE need to be connected to AD in the scenario? I cannot see where the FMC talks directly to AD. All the authentication requests appear to go from the FMC to ISE and then to AD.</P> Mon, 15 Mar 2021 11:54:27 GMT https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4307438#M566143 Philip Badhams 2021-03-15T11:54:27Z https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4308610#M566200 <P><A id="link_28" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://community.cisco.com/t5/user/viewprofilepage/user-id/338251" target="_self"><SPAN class="">Philip Badhams</SPAN></A>, I've not used FMC/FTD for RA-VPN yet but I believe it not required to integrate with AD if you are not using any objects from AD in the policies in FMC.</P> <P>If you want to support password changes for AD users, then the VPN head-end needs using MSCHAPv2 to connect to ISE.&nbsp;</P> Wed, 17 Mar 2021 03:11:46 GMT https://community.cisco.com/t5/network-access-control/ra-vpn-any-connect-password-change-using-ise-and-active/m-p/4308610#M566200 hslai 2021-03-17T03:11:46Z