Solved: Re: Hi Rahul,

albertofdez · ‎06-21-2017

Hi,

I have Cisco ISE 2.2.0 installed and running for a bunch of things and everything works perfectly except Palo Alto remote access VPN user validation with the GlobalProtect client.

This works perfectly with the Microsoft NPS Radius, but there is no way to reproduce the conditions and authorization profile to work with Cisco ISE.

Does anyone have the necessary parameters or can someone help me?

Best regards.

albertofdez · ‎06-22-2017

Hi Rahul,

I just tried it and it works perfectly, I had to create a new Radius Vendor called PaloAlto_Vendor and a new Network Device Profile called PaloAltoNetworks to which I added this dictionary.

Then I have associated the 2 PA-500s created in Network Devices with their Profile Name PaloAltoNetworks.

And finally I created an Authorization Profile called Permit_VPN where I added the VSA1 and VSA2 with the parameters of the image.

I hope this is clear, if anyone needs more data or help I will be happy to help.

Best regards.

View solution in original post

Rahul Govindan · ‎06-21-2017

I have not integrated them both together, but if you are able to get it working with NPS, the same principles should hold true for ISE. What exactly is failing when you have ISE as the AAA server?

albertofdez · ‎06-21-2017

Hi Rahul,

In NPS there are created 2 attributes with a specific vendor the 25461, I attach images of how they are created.

I just found Palo Alto website a document, I attached image, to create a new Vendor in Cisco ISE for this manufacturer and the parameters to be defined, but the VSA1 and VSA2 do not seem to match those used by the NPS .

VSA 1 = PaloAlto-Admin-Role
VSA 2 = PaloAlto-Admin-Access-Domain

They look more like access to management than VPN access.

Best regards

Rahul Govindan · ‎06-21-2017

I am not sure if I understood your issue. But it looks like you are on the right track. You have the Palo Alto VSA Dictionary and Attributes on the ISE. Now all you have to do is to have this Attribute mapped to a value (in your case SE-Admin-Access and SANLUCAR) in the Authorization profile. See attached.

albertofdez · ‎06-21-2017

Correct, is what I have configured tomorrow I try with the client and I tell you if it works

Thanks

albertofdez · ‎06-22-2017

Hi Rahul,

I just tried it and it works perfectly, I had to create a new Radius Vendor called PaloAlto_Vendor and a new Network Device Profile called PaloAltoNetworks to which I added this dictionary.

Then I have associated the 2 PA-500s created in Network Devices with their Profile Name PaloAltoNetworks.

And finally I created an Authorization Profile called Permit_VPN where I added the VSA1 and VSA2 with the parameters of the image.

I hope this is clear, if anyone needs more data or help I will be happy to help.

Best regards.

Rahul Govindan · ‎06-22-2017

Glad to heat that it is working for you. Thanks for reverting back with this information.

andypage1 · ‎08-15-2019

hi Alberto

I wondered if you had managed to integrate the Posture assessment capabilities of the ISE into the Solution you have implemented with global Protect.

Also have you had any issues with the solution since you implemented it ?

Andy

I

Jeffrey Jones · ‎06-12-2020

So VSA1 and VSA2, where in globalprotect, as that is not in the client anywhere

manvik · ‎02-27-2021

Have anyone got Globalprotect agent working with Cisco ISE posture module. ie when Remote VPN user connects via Globalprotect ISE posture module kicks and send info to Cisco ISE.

thomas · ‎03-09-2021

ISE Posture is a module in AnyConnect. You would need to use AnyConnect as your VPN agent.

manvik · ‎03-12-2021

You are right, but how to implement Cisco ISE posture for Remote VPN users who are already using PA Globalprotect.

Cisco ISE 2.2.0 and Palo Alto VPN client GlobalProtect