cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

107
Views
10
Helpful
3
Replies
Beginner

ISE Integration with Symantec VIP for RA VPN

Hi,

I appreciate any help if someone has tested the below scenario if it is doable or not 

 

 Our customer got Firepower Appliances for Remote access VPN service using Anyconnect, and ISE  as an Authentication server for remote access VPN users. The plan is to integrate the ISE  with Symantec VIP for 2FA (Which is possible). The question is :

 

The customer wants some of the RA users to use a specific laptop or phone  when they connect using Anyconnect and offcourse use the Symantec 2FA . I'm  trying to explore my  options here, I could think of the following :

 

Maybe we can use the  Symantec VIP as an external Radius, and use it in the identity source sequence in the authentication policy . Then we use the internal Endpoint identity which has the MAC address of the users, and then in the authorization policy we match based on the Endpoint identity.

 

Or , maybe we install a machine certificate on client machine and use certificate as an authentication  method  in the identity source sequence, but I'm not sure if in the same identity sequence I can choose the Symantec VIP which is an external Radius , usually we chose AD with Certificate authentication in the identity source sequence , I do not know if we can chose external radius with Certificate in the   identity source sequence

 

Does anyone have experience with such a scenario ? Any suggestion, !

 

Thanks 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ISE Integration with Symantec VIP for RA VPN

There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

 

Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.

 

Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.  

Cisco Employee

Re: ISE Integration with Symantec VIP for RA VPN

Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.

3 REPLIES 3
Cisco Employee

Re: ISE Integration with Symantec VIP for RA VPN

There may be multiple ways, but as you mentioned, we can use MAC. AnyConnect will send MAC in ACIDEX. You can follow the information in this posting:

https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

 

Another option is to use AnyConnect posture module which can key off on certain watermark added to the Windows registry or macOS plist file.

 

Another option is using certificates, but note that certificate validation is generally done on the VPN gateway itself, not on the RADIUS server. You may be able to validate certificate on the RADIUS server using IKEv2 with EAP as authentication protocol, but not sure if that is feasible in the scenario.  

Beginner

Re: ISE Integration with Symantec VIP for RA VPN

Hello howon,

Thank you for your valuable information ,

according to the post https://community.cisco.com/t5/identity-services-engine-ise/dynamic-attributes-mac-address-with-ise-and-vpn/td-p/3728301

 

if I understood correctly that's applicable if the machine is part of the AD .In my scenario , the machine is not part of the AD. I do not know if I can still use the ACIDEX information to match on the client machine MAC address before I assign an Authorization profile 

 

All that I need is that, after Authenticating the user with Symatic VIP ,  in the Authprzation policy I want to match on the Client machine MAC address before I assign an Authorization profile to that user. Can ACIDEX help in this case?

 

Using Posture is also a valid solution, and we will use it for users which are part of the AD, but not for users not in the AD.

 

Ali    

 

Cisco Employee

Re: ISE Integration with Symantec VIP for RA VPN

Yes, ACIDEX provides the MAC addresses of the RA-VPN endpoints.