Anyconnect and ISE

endpoint · ‎01-26-2013

Hi

Currently i have setup a ASA 5510, 8.4 as vpn headend, Cisco ACS 4.2 as RADIUS server for AAA (groups in radius server are mapped to AD groups).

Would like to see if i can use ISE to authenticate vpn users, push VPN ACL to vpn users, basically to replace ACS with ISE. we are planning to use ISE for other AAA/posture/policy usages for our wired and wireless clients.

Are there any good docs explaining how to configure ISE to provide aaa for Anyconnect VPN users? I got some basics ISE configured (AD integration, get groups from AD, added ASA VPN and WLC devices into ISE) but missing pars how to basically replace ACS with ISE

Any help in this filed is appreciated.

Regards,

Tarik Admani · ‎01-26-2013

Hi,

Yes you can use ise to push acls to your vpn clients. Are you using per user acls or dacl for your acls configuration?

All you need to do is note the contents of your acls, and migrate that over in the results section in the policy elements configuration.

You can then place the asa in its own device group, map the network device group and the domain user group and send back the result for vpn access.

Since the ise uses radius accounting to track license enforcement. You will need add a new aaa-server configuration on your asa, under you tunnel group you will have to set the authentication server group and accounting server group to point to ise.

Thanks,

Sent from Cisco Technical Support Android App

endpoint · ‎01-28-2013

Hi Tarik

Thanks for responce.

I am using per group ACL.

Do you have any good documents you want to share about setting it all up?

Naveen Kumar · ‎04-26-2013

Hello ,

Please check this document, I hope this helps you:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/acs.pdf