Solved: Authenticate traffic leaving FTD Internal Interface - ISE

ciscokapajoeen · ‎01-31-2022

Hello Guys,

We are migrating from cisco ASA to FTD. in the previous configuration, traffic from inside was authenticated using AAA but did not function well such that we ended with too many AAA exceptions to allow systems on the inside to access anything on other interfaces/zones.

Now, we are trying to apply the same principle using FTD and ISE and we are wondering if you could helo as it seems not working.

These are my questions:

Question 1- Is it good, practical to define a policy that all traffic leaving the internal interface of the FTD should be authenticated ?

Question2: Is there any better way to authenticate all traffic leaving the internal interface using ISE, FTD/FMC which is robust and requires almost no maintenance?

Question 3 - if It's Possible, How to fall back if ISE goes down?

Thank You

Patrice

Arne Bier · ‎02-06-2022

Hello @ciscokapajoeen

ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.

The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.

View solution in original post

Arne Bier · ‎02-06-2022

Hello @ciscokapajoeen

ISE is used for network access control and not for application or content control. When you require that "all traffic leaving the internal interface" be authenticated, then NAC (ISE) is too late for that. ISE should have authenticated/authorized the endpoints at the time when they connect to the network. Once connected, the endpoints might reach out to services that are beyond the Internal - e.g. DMZ or internet. This can be stuff like web access. The better approach is to use a web proxy to redirect the web traffic and then authenticate the user - but it's not ISE that's doing this. The web proxy might send the auth request to ISE though.

The proxy usually does its filtering based on the source IP address of the endpoint traffic - you would define policies in the web proxy to allow/block traffic based on those IP source IP subnets. As far as authentication goes, the proxy might authenticate against AD, or LDAP or anything. And those systems should be redundant of course. If the redundancy fails, then the proxy should have an emergency policy to do whatever you like it to do - e.g. allow all.