cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12313
Views
15
Helpful
11
Replies

Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect

albertofdez
Level 1
Level 1

Hi,

I have Cisco ISE 2.2.0 installed and running for a bunch of things and everything works perfectly except Palo Alto remote access VPN user validation with the GlobalProtect client.

This works perfectly with the Microsoft NPS Radius, but there is no way to reproduce the conditions and authorization profile to work with Cisco ISE.

Does anyone have the necessary parameters or can someone help me?

Best regards.

1 Accepted Solution

Accepted Solutions

Hi Rahul,

I just tried it and it works perfectly, I had to create a new Radius Vendor called PaloAlto_Vendor and a new Network Device Profile called PaloAltoNetworks to which I added this dictionary.

Then I have associated the 2 PA-500s created in Network Devices with their Profile Name PaloAltoNetworks.

And finally I created an Authorization Profile called Permit_VPN where I added the VSA1 and VSA2 with the parameters of the image.

I hope this is clear, if anyone needs more data or help I will be happy to help.

Best regards.

View solution in original post

11 Replies 11

Rahul Govindan
VIP Alumni
VIP Alumni

I have not integrated them both together, but if you are able to get it working with NPS, the same principles should hold true for ISE. What exactly is failing when you have ISE as the AAA server?

Hi Rahul,

In NPS there are created 2 attributes with a specific vendor the 25461, I attach images of how they are created.

I just found Palo Alto website a document, I attached image, to create a new Vendor in Cisco ISE for this manufacturer and the parameters to be defined, but the VSA1 and VSA2 do not seem to match those used by the NPS .

VSA 1 = PaloAlto-Admin-Role
VSA 2 = PaloAlto-Admin-Access-Domain

They look more like access to management than VPN access.

Best regards

I am not sure if I understood your issue. But it looks like you are on the right track. You have the Palo Alto VSA Dictionary and Attributes on the ISE. Now all you have to do is to have this Attribute mapped to a value (in your case SE-Admin-Access and SANLUCAR) in the Authorization profile. See attached.

Correct, is what I have configured tomorrow I try with the client and I tell you if it works

Thanks

Hi Rahul,

I just tried it and it works perfectly, I had to create a new Radius Vendor called PaloAlto_Vendor and a new Network Device Profile called PaloAltoNetworks to which I added this dictionary.

Then I have associated the 2 PA-500s created in Network Devices with their Profile Name PaloAltoNetworks.

And finally I created an Authorization Profile called Permit_VPN where I added the VSA1 and VSA2 with the parameters of the image.

I hope this is clear, if anyone needs more data or help I will be happy to help.

Best regards.

Glad to heat that it is working for you. Thanks for reverting back with this information. 

hi Alberto

 

I wondered if you had managed to integrate the Posture assessment capabilities of the ISE into the Solution you have implemented with global Protect. 

 

Also have you had any issues with the solution since you implemented it ?

 

Andy 

 

I

So VSA1 and VSA2, where in globalprotect, as that is not in the client anywhere

manvik
Level 3
Level 3

Have anyone got Globalprotect agent working with Cisco ISE posture module. ie when Remote VPN user connects via Globalprotect ISE posture module kicks and send info to Cisco ISE.

thomas
Cisco Employee
Cisco Employee

ISE Posture is a module in AnyConnect. You would need to use AnyConnect as your VPN agent.

You are right, but how to implement Cisco ISE posture for Remote VPN users who are already using PA Globalprotect.