04-18-2018 03:15 PM
I just need to confirm that ISE doesn't support SSO Authentication over SAML2.0 for VPN Policies. For example, a VPN user connects to an ASA using Clientless SSL VPN. The ASA is configured to use ISE for AAA over radius for authC and authZ. ISE is configured to use a SSO IdP as an external identity manager. Is there a way for ISE to send a redirect to the SSO Authentication page back to the VPN client via the ASA, and still provide authZ policy?
If there is no solution like this, which I don't think there is, I know we can configure SAML2.0 on the ASA natively. Is there any way we can use SAML for authC on the ASA, but still use radius for authZ on ISE? For instance, vpn user authenticates to ASA using SSO provider, but still authenticates via certificate over radius using ISE, therefor getting the correct authorization policy?
I know this is more of an ASA question, but figured I ask the ISE community, as I will also be throwing this over to the NGFW mailer as well.
Solved! Go to Solution.
04-18-2018 06:40 PM
We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal. Not aware of anyone having tested access using ISE SAML SSO to same portal.
In 2nd questions, ISE does not authenticate ASA user certs. Cert auth for RA VPN clients is terminated at ASA, not ISE.
04-18-2018 06:40 PM
We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal. Not aware of anyone having tested access using ISE SAML SSO to same portal.
In 2nd questions, ISE does not authenticate ASA user certs. Cert auth for RA VPN clients is terminated at ASA, not ISE.
04-26-2018 06:51 AM
04-26-2018 07:33 AM
The AnyConnect lab delivered in April 2017 Security SEVT covered AnyConnect VPN using PingFederate as the SAML IdP and , once connected, able to get to ISE MyDevices, which also configured to use the same IdP, without providing login info again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide