cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1934
Views
0
Helpful
3
Replies

SSO Authentication for SSL VPN using ISE

edmcnich
Cisco Employee
Cisco Employee

I just need to confirm that ISE doesn't support SSO Authentication over SAML2.0 for VPN Policies. For example, a VPN user connects to an ASA using Clientless SSL VPN. The ASA is configured to use ISE for AAA over radius for authC and authZ. ISE is configured to use a SSO IdP as an external identity manager. Is there a way for ISE to send a redirect to the SSO Authentication page back to the VPN client via the ASA, and still provide authZ policy?

If there is no solution like this, which I don't think there is, I know we can configure SAML2.0 on the ASA natively. Is there any way we can use SAML for authC on the ASA, but still use radius for authZ on ISE? For instance, vpn user authenticates to ASA using SSO provider, but still authenticates via certificate over radius using ISE, therefor getting the correct authorization policy?

I know this is more of an ASA question, but figured I ask the ISE community, as I will also be throwing this over to the NGFW mailer as well.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal.  Not aware of anyone having tested access using ISE SAML SSO to same portal.

In 2nd questions, ISE does not authenticate ASA user certs.  Cert auth for RA VPN clients is terminated at ASA, not ISE.

View solution in original post

3 Replies 3

Craig Hyps
Level 10
Level 10

We have had teams validate SSL VPN SSO (where it passes credentials to target web service) to provide SSO experience to ISE web page like Sponsor Portal.  Not aware of anyone having tested access using ISE SAML SSO to same portal.

In 2nd questions, ISE does not authenticate ASA user certs.  Cert auth for RA VPN clients is terminated at ASA, not ISE.

The AnyConnect lab delivered in April 2017 Security SEVT covered AnyConnect VPN using PingFederate as the SAML IdP and , once connected, able to get to ISE MyDevices, which also configured to use the same IdP, without providing login info again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: