cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1744
Views
1
Helpful
7
Replies
engahmedsaied
Beginner

ASA with cisco ise integration and if it compatible or not

Hello,

I am looking that ASA is supported with Cisco ISE or no, In Cisco ISE compatibility matrix 2.2 I can find this only Supported Cisco Remote Access


Capture.PNG

I need to know if these models are supported or not

5520

5505

5525

5555

and if there is any IOS is recommend

can I authenticate user who log in on ASA ?

can authorization be from ISE or local on ASA?

1 ACCEPTED SOLUTION

Accepted Solutions

Device Admin via either RADIUS or TACACS+ is pretty plain old school PAP for ISE. I haven't found any cisco papers documwanting this compatibility. Perhaps cisco folks can give some direction here...

I would suggest you to set up LOCAL on ASA first, if it's successfu, then you add your ISE PSN to it. During this proces, check debug info on ISE live log and ASA to see the steps.

View solution in original post

7 REPLIES 7
Ping Zhou
Collaborator

Yes, you can use ISE tacacs+ as AAA server to authenticate, authorize and account users  who log into the ASA CLI and / or ASDM. You can also failback to LOCAL username database on ASA. To my experience, ASA 9.x work with ISE 2.x.

if I have no device administration license on ISE, can I only authenticate admin user who login on ASA and take authorization local from ASA ?

RADIUS may allow some limited device admin capabilities. It's recommended to use T+. One deployment needs only one T+ license.

Agreed. Anything with tacacs, you need that single device Admin license.

if you want to try radius device Admin, using old school PAP-ASCII as the protoco and just Authorization with permit access, it should work, but donot think you can add any privileges and comman sets.

yes I think now about only authenticate user from cisco ISE and authorization be from ASA itself but how can I check if ASA model in post is supported or no ?

Device Admin via either RADIUS or TACACS+ is pretty plain old school PAP for ISE. I haven't found any cisco papers documwanting this compatibility. Perhaps cisco folks can give some direction here...

I would suggest you to set up LOCAL on ASA first, if it's successfu, then you add your ISE PSN to it. During this proces, check debug info on ISE live log and ASA to see the steps.

View solution in original post

hslai
Cisco Employee
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel