cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

604
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

SSO Authentication for SSL VPN using ISE

I just need to confirm that ISE doesn't support SSO Authentication over SAML2.0 for VPN Policies. For example, a VPN user connects to an ASA using Clientless SSL VPN. The ASA is configured to use ISE for AAA over radius for authC and authZ. ISE is configured to use a SSO IdP as an external identity manager. Is there a way for ISE to send a redirect to the SSO Authentication page back to the VPN client via the ASA, and still provide authZ policy?

If there is no solution like this, which I don't think there is, I know we can configure SAML2.0 on the ASA natively. Is there any way we can use SAML for authC on the ASA, but still use radius for authZ on ISE? For instance, vpn user authenticates to ASA using SSO provider, but still authenticates via certificate over radius using ISE, therefor getting the correct authorization policy?

I know this is more of an ASA question, but figured I ask the ISE community, as I will also be throwing this over to the NGFW mailer as well.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: SSO Authentication for SSL VPN using ISE

We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal.  Not aware of anyone having tested access using ISE SAML SSO to same portal.

In 2nd questions, ISE does not authenticate ASA user certs.  Cert auth for RA VPN clients is terminated at ASA, not ISE.

3 REPLIES 3
Advocate

Re: SSO Authentication for SSL VPN using ISE

We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal.  Not aware of anyone having tested access using ISE SAML SSO to same portal.

In 2nd questions, ISE does not authenticate ASA user certs.  Cert auth for RA VPN clients is terminated at ASA, not ISE.

Cisco Employee

Re: SSO Authentication for SSL VPN using ISE

Cisco Employee

Re: SSO Authentication for SSL VPN using ISE

The AnyConnect lab delivered in April 2017 Security SEVT covered AnyConnect VPN using PingFederate as the SAML IdP and , once connected, able to get to ISE MyDevices, which also configured to use the same IdP, without providing login info again.