07-17-2019 06:37 AM
Hello,
I am using F5 BIG-IP Access Policy Manager as a PCoIP Proxy/View Security Server. I also use smart card as a 2FA solution in my view clients.
The F5 looks at the id on the smart card and provides access.
Once user is validated, APM sends a request to the load balanced pool of Connection Servers to get a list of authorized applications and desktops using HTTPS or HTTP. The user is then presented with the list of available and authorized desktops and applications.
I am trying to develop a NAC solution which allows the view client to access the F5 APM so that the smart card can be "initially" challenged. Within my NAC, ISE would supply an SGT (micro-segmentation) to my NAD which allows this activity to initially happen.
To complicate matters, I'd like to then do some type of Change of Authorization (CoA) feature which tells the NAD to flip the view client to a updated SGT once the identity has been validated - providing an entirely new access.
Is the F5 capable to providing Cisco ISE an update on the identity on the smart card so that the CoA can be done and my NAD's updated to supply updated access(Radius/PXGrid)?
Anyone do this type of solution or some similar?
Thanks.
Solved! Go to Solution.
07-20-2019 09:27 AM
F5 is not part of Security Technical Alliance Partners, so I do not think it exists any formal integration.
> ... the smart card can be "initially" challenged ....
Usually the challenge is out-of-band and part of the authentication but not a separate authentication.
I am not familiar this solution so I glanced through Deploying F5 with VMware View and Horizon View. From what I can tell, the connection server or the APM would be the "NAD" that a view client connects to. If a VDI instance is a standard PC/Mac with 802.1X supplicant and connecting to a data center switch interface enabled for multi-auth, then the switch would be the NAD for the VDI and please check F5 or VMware how the smart card info passed over to the VDI.
07-20-2019 09:27 AM
F5 is not part of Security Technical Alliance Partners, so I do not think it exists any formal integration.
> ... the smart card can be "initially" challenged ....
Usually the challenge is out-of-band and part of the authentication but not a separate authentication.
I am not familiar this solution so I glanced through Deploying F5 with VMware View and Horizon View. From what I can tell, the connection server or the APM would be the "NAD" that a view client connects to. If a VDI instance is a standard PC/Mac with 802.1X supplicant and connecting to a data center switch interface enabled for multi-auth, then the switch would be the NAD for the VDI and please check F5 or VMware how the smart card info passed over to the VDI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide