08-23-2017 11:36 AM
Hello,
I am looking that ASA is supported with Cisco ISE or no, In Cisco ISE compatibility matrix 2.2 I can find this only Supported Cisco Remote Access
I need to know if these models are supported or not
5520
5505
5525
5555
and if there is any IOS is recommend
can I authenticate user who log in on ASA ?
can authorization be from ISE or local on ASA?
Solved! Go to Solution.
08-23-2017 12:42 PM
Device Admin via either RADIUS or TACACS+ is pretty plain old school PAP for ISE. I haven't found any cisco papers documwanting this compatibility. Perhaps cisco folks can give some direction here...
I would suggest you to set up LOCAL on ASA first, if it's successfu, then you add your ISE PSN to it. During this proces, check debug info on ISE live log and ASA to see the steps.
08-23-2017 11:49 AM
Yes, you can use ISE tacacs+ as AAA server to authenticate, authorize and account users who log into the ASA CLI and / or ASDM. You can also failback to LOCAL username database on ASA. To my experience, ASA 9.x work with ISE 2.x.
08-23-2017 11:57 AM
if I have no device administration license on ISE, can I only authenticate admin user who login on ASA and take authorization local from ASA ?
08-23-2017 12:02 PM
RADIUS may allow some limited device admin capabilities. It's recommended to use T+. One deployment needs only one T+ license.
08-23-2017 12:07 PM
Agreed. Anything with tacacs, you need that single device Admin license.
if you want to try radius device Admin, using old school PAP-ASCII as the protoco and just Authorization with permit access, it should work, but donot think you can add any privileges and comman sets.
08-23-2017 12:28 PM
yes I think now about only authenticate user from cisco ISE and authorization be from ASA itself but how can I check if ASA model in post is supported or no ?
08-23-2017 12:42 PM
Device Admin via either RADIUS or TACACS+ is pretty plain old school PAP for ISE. I haven't found any cisco papers documwanting this compatibility. Perhaps cisco folks can give some direction here...
I would suggest you to set up LOCAL on ASA first, if it's successfu, then you add your ISE PSN to it. During this proces, check debug info on ISE live log and ASA to see the steps.
08-23-2017 11:58 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide