Solved: Re: Can ISE HostScan work with ASA double authentication?

Istvan Segyik · ‎03-09-2017

Dear Colleagues,

Customer wants to use double authentication where one of the authentications would be a direct Securenvoy two factor authentication PIN and the other is the normal AD username and password.

This is about a 3000 users AC/ISE APEX deployment.

The questions are:

- Can we support RADIUS CoA with ASA VPN double authentication? If both RADIUS Access Requests were configured to go to ISE, can we differentiate them somehow so one would be checked against the Securenvoy RADIUS token server? Even if we could, what session ID would be manipulated by CoA?

- Has anyone tried to use Securenvoy as RADIUS Token server with ISE yet?

- If we didn't use double authentication (so ASA sent a single RADIUS Access Accept request with AD username and OTP as the password, could we use the Token Server as authentication source and AD as authorization only in ISE? Do we have any "How-to-..." guide?

Best regards,

Istvan

pcarco · ‎03-10-2017

Hello,

I am pretty certain you don't mean Hostscan (ASA) and mean ISE system Scan i.e., ISE Posture.

You could use Double Authentication aka Secondary Authentication and Authorization to ISE (Radius)

With the Secondary Authentication you can configure the tunnel-group aka Connect profile to use the username from the primary authentication for the secondary set of credentials thus avoiding the user needing to enter the username twice.

You would configure Authorization to ISE - this is common for customers that use Certificates to authenticate VPN to the ASA and then use ISE for posture. .

"

Use authorization only mode—If you do not want to use ISE for authentication, enable authorize-only mode for the RADIUS server group. This indicates that when this server group is used for authorization, the RADIUS Access Request message will be built as an “Authorize Only” request as opposed to the configured password methods defined for the AAA server. If you do configure a common password for the RADIUS server, it will be ignored.

For example, you would use authorize-only mode if you want to use certificates for authentication rather than this server group. You would still use this server group for authorization and accounting in the VPN tunnel. "

Source: ASDM Online help

Best regards,

Paul

View solution in original post

pcarco · ‎03-10-2017

Hello,

I am pretty certain you don't mean Hostscan (ASA) and mean ISE system Scan i.e., ISE Posture.

You could use Double Authentication aka Secondary Authentication and Authorization to ISE (Radius)

With the Secondary Authentication you can configure the tunnel-group aka Connect profile to use the username from the primary authentication for the secondary set of credentials thus avoiding the user needing to enter the username twice.

You would configure Authorization to ISE - this is common for customers that use Certificates to authenticate VPN to the ASA and then use ISE for posture. .

"

Use authorization only mode—If you do not want to use ISE for authentication, enable authorize-only mode for the RADIUS server group. This indicates that when this server group is used for authorization, the RADIUS Access Request message will be built as an “Authorize Only” request as opposed to the configured password methods defined for the AAA server. If you do configure a common password for the RADIUS server, it will be ignored.

For example, you would use authorize-only mode if you want to use certificates for authentication rather than this server group. You would still use this server group for authorization and accounting in the VPN tunnel. "

Source: ASDM Online help

Best regards,

Paul

Istvan Segyik · ‎03-13-2017

Hi Paul,

Thank you for your response. Yes I was thinking about ISE Posture Scan in AnyConnect. It was Thursday evening when I created the post, just last evening before my PTO. Anyway...

One last if I may. Is there any way to run a single OTP based user/passw. authentication on ASA and let ISE checking the OTP server over RADIUS to verify the token and still query AD for attributes?

E.g. would ISE check AD if AD was not in the ID source sequence but AD user group membership used in the Authorization policy. I am afraid not just want to make sure.

Unfortunately since both FMC and ISE have grown larger I don't have the hardware capacity to run both in my LAB so I can't experiment with it.

Best regards,

Istvan