03-27-2019 01:34 AM - edited 02-21-2020 08:59 AM
Hello Community,
I recently reimaged an ASA with the FTD image. That worked.
I added it to a FMC and smart license are ok.
I added my ISE as a radius server and configured remote access with anyconnect.
I configured my ISE and I can authenticate via ISE with no problem (I see what I expect in ISE Live logs).
I wanted to go beyond this step : I want to do a CoA depending the Cisco AV Pair tunnel group name :
if external group is Group1 => send a CoA to log in tunnel group name Group1, if external group is Group2 => send a CoA to log in tunnel group 2, etc...
I configured some staff on FMC : see image001.PNG for the radius configuration (removed name/description/IP).
I would like to know :
Thank for any help you can provide (and sorry for my poor english)
Irwin
Solved! Go to Solution.
04-15-2019 08:56 PM
Yes, so ISE can now check the user attributes (normally group membership in AD) and reassign a user to a different tunnel group based on the outcome of that check.
For FTD-based RA VPNs, ISE cannot do posture assessment (i.e. check for registry key, file, running process, AV etc.) and make a determination based on that.
03-27-2019 02:06 AM
Currently (as of 6.3.0.2) only the AnyConnect VPN module is supported for remote access VPN on FTD. Other modules, including ISE Posture, are not supported.
04-12-2019 05:31 PM
Hello Marvin,
yes as per Guidelines and limitations for remote access VPN in version 6.3.0.2:
The following AnyConnect features are not supported when connecting to a FTD secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.
but it supports COA and i think it is enough for ISE posture to work as we did with ASA when it started to support COA with version 9.2. so please advice.
04-14-2019 02:30 PM
also for version 6.2.3:
The following AnyConnect features are not supported when connecting to a FTD secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.
in the above they said ISE is not supported but for the version 6.3.0:
The following section describes the features of Firepower Threat Defense remote access VPN:
Rapid Threat Containment support using RADIUS CoA or RADIUS dynamic authorization.
The following AnyConnect features are not supported when connecting to a FTD secure gateway:
Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
The following posture variants, Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.
so for version 6.3, they added COA and removed ISE from unsupported postures.
04-15-2019 08:56 PM
Yes, so ISE can now check the user attributes (normally group membership in AD) and reassign a user to a different tunnel group based on the outcome of that check.
For FTD-based RA VPNs, ISE cannot do posture assessment (i.e. check for registry key, file, running process, AV etc.) and make a determination based on that.
04-16-2019 07:11 AM - edited 04-16-2019 07:14 AM
Hello Marvin,
actually i have checked with Cisco and they confirmed that FTD version 6.3 can do ise posture normally and can assign policy based on that.
as you can remember for the ASA, as long as the ASA can do COA, it can do ISE posture too.
04-16-2019 12:57 AM
04-16-2019 07:22 AM
you can work normally and try to configure ISE posture as with ASA before
and for the redirect ACL you can add it in the FTD from the objects and extend ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide