Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
3
Replies

Cisco ISE authentication for Cisco Anyconnect Clients

kartik.shah1
Level 1
Level 1

‎02-05-2019 02:35 AM

Hi,

 

We are planning to conduct demonstration of Cisco ISE. Following is our scenario;

 

Scenario:

 

Cisco ISEv as Primary node is configured for DC.

Users are locally created in database. Bangalore RAVPN (AnyConnect) user will get authenticate on DC ISEv to access resources in DC & DR.

 

Cisco ISEv as Secondary node is configured for DR.

 

Users are synchronized between DC – DR.

Alike DC, AnyConnect users will get authenticate to local ISEv (DR) to access DC-DR resources.

 

If for any reasons, primary ISE appliance fails, all the users - the one which are getting authenticated to DC appliance, will redirect their request to DR ISE & will authenticate from DR ISE & will access DC & DR resources.

 

Customer is using Cisco firepower in HA mode.

Can any one help how will be my configuration.

 

I have to create users locally in ISE database.

 

I have attached architecture diagram for same.

 

Thanks.

Preview file
96 KB
0 Helpful
3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

‎02-05-2019 07:34 AM

I think your ask is more of a Firepower configuration question than an ISE question. The requirement you identified of having one primary radius server, and a secondary radius server, is a very common config on any network device. You will define/configure both servers in a radius server group, then the Firepower device will handle the active/dead authentication piece.

 

Here is a guide that covers an AC remote access sample set up and also radius server group configuration. Search for "Click Add for the Authentication Server and choose RADIUS Server Group - this will be your Cisco Identity Services Engine PSN (Policy Services Node)" about a quarter of the way down the guide.
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

 

When complete, you should have two ISE nodes defined in this section.
213905-configure-anyconnect-vpn-on-ftd-using-ci-43.jpeg

0 Helpful

kartik.shah1
Level 1
Level 1
In response to Damien Miller

‎02-06-2019 09:45 PM

Thanks a ton! Damien Miller,

 

Any thing other i need to configure in Cisco ISE for authentication policy? 

Further, can i configure ISE as CA instead of Windows server? if yes, can you share the steps please?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to kartik.shah1

‎02-16-2019 09:19 AM

ISE is validated with ASA only for SCEP -- ISE CA Issues Certificates to ASA VPN Users

Configure AnyConnect VPN on FTD using Cisco ISE as a RADIUS Server with Windows Server 2012 Root CA - Cisco should help you with ISE configurations needed to auth a remote access VPN client from FTD.

0 Helpful
Customers Also Viewed These Support Documents