I have a customer currently using ASA VPN authentication -> ISE -> Microsoft AD.
They have SAML on OpenAM and are requesting assistance from me in integrating ISE into the authentication with the end goal of SAML authentication of VPN users. Links and documentation I see for this imply that the tested use cases on ISE are for guest and sponsor portals, not for VPN authentication (although one of the links implies that if the end user first authenticates their SSL VPN to SAML, they can leverage that authentication for subsequent access to these web pages, such as my device). One such link is:
https://community.cisco.com/t5/identity-services-engine-ise/sso-authentication-for-ssl-vpn-using-ise/td-p/3583755
My customer has had some success integrating the ASA directly with the OpenAM (user is parsed for username and authentication which appears to be sent to OpenAM but the ASA is not receiving a reply). They'd like to have ISE record the accounting information for the users, however - and the username and IP mapping would be useful for their SIEM.
Reading through documentation on SAML I assume we can either:
- Have the ASA authenticate directly to their server but send accounting information to ISE (likely our best option) or
- Have a username/password authentication via Anyconnect at ISE via standard Radius but redirect to a webportal to get the SAML authentication. This requires double-authentication though and defeats the point of using SAML.
Am I correct on these and/or is there a different, better option?
