Solved: ASA-FTD-Image and ISE CoA

i.leridant · ‎03-27-2019

Hello Community,

I recently reimaged an ASA with the FTD image. That worked.

I added it to a FMC and smart license are ok.

I added my ISE as a radius server and configured remote access with anyconnect.

I configured my ISE and I can authenticate via ISE with no problem (I see what I expect in ISE Live logs).

I wanted to go beyond this step : I want to do a CoA depending the Cisco AV Pair tunnel group name :

if external group is Group1 => send a CoA to log in tunnel group name Group1, if external group is Group2 => send a CoA to log in tunnel group 2, etc...

I configured some staff on FMC : see image001.PNG for the radius configuration (removed name/description/IP).

I would like to know :

is what I want to do possible ?
What is the best practice to configure CoA, and pre requisite (I didn't find anything that matched ASA-FTD controlled by FMC for CoA)
How can I troubleshoot CoA on the firewall ?
If I am right, if I want to do Posture I will have to do CoA ( so CoA has to work in my ASA) ?

Thank for any help you can provide (and sorry for my poor english)

Irwin

Marvin Rhoads · ‎04-15-2019

Yes, so ISE can now check the user attributes (normally group membership in AD) and reassign a user to a different tunnel group based on the outcome of that check.

For FTD-based RA VPNs, ISE cannot do posture assessment (i.e. check for registry key, file, running process, AV etc.) and make a determination based on that.

View solution in original post

Marvin Rhoads · ‎03-27-2019

Currently (as of 6.3.0.2) only the AnyConnect VPN module is supported for remote access VPN on FTD. Other modules, including ISE Posture, are not supported.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

mohamed_safwat · ‎04-12-2019

Hello Marvin,

yes as per Guidelines and limitations for remote access VPN in version 6.3.0.2:

The following AnyConnect features are not supported when connecting to a FTD secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.

but it supports COA and i think it is enough for ISE posture to work as we did with ASA when it started to support COA with version 9.2. so please advice.

mohamed_safwat · ‎04-14-2019

also for version 6.2.3:

The following AnyConnect features are not supported when connecting to a FTD secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.

in the above they said ISE is not supported but for the version 6.3.0:

The following section describes the features of Firepower Threat Defense remote access VPN:

Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization.

The following AnyConnect features are not supported when connecting to a FTD secure gateway:

Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

so for version 6.3, they added COA and removed ISE from unsupported postures.

Marvin Rhoads · ‎04-15-2019

Yes, so ISE can now check the user attributes (normally group membership in AD) and reassign a user to a different tunnel group based on the outcome of that check.

For FTD-based RA VPNs, ISE cannot do posture assessment (i.e. check for registry key, file, running process, AV etc.) and make a determination based on that.

mohamed_safwat · ‎04-16-2019

Hello Marvin,

actually i have checked with Cisco and they confirmed that FTD version 6.3 can do ise posture normally and can assign policy based on that.

as you can remember for the ASA, as long as the ASA can do COA, it can do ISE posture too.

i.leridant · ‎04-16-2019

Thank you Marvin & Mohamed for your answers !
Now I have to work on the CoA (it is just a time question )

mohamed_safwat · ‎04-16-2019

you can work normally and try to configure ISE posture as with ASA before

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

and for the redirect ACL you can add it in the FTD from the objects and extend ACL.