cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
1
Replies

F5 PCoIP Proxy - Cisco ISE Integration

chris-lawrence
Level 1
Level 1

Hello,

 

I am using F5 BIG-IP Access Policy Manager as a PCoIP Proxy/View Security Server. I also use smart card as a 2FA solution in my view clients.

The F5 looks at the id on the smart card and provides access.

 

Once user is validated, APM sends a request to the load balanced pool of Connection Servers to get a list of authorized applications and desktops using HTTPS or HTTP. The user is then presented with the list of available and authorized desktops and applications.

 

I am trying to develop a NAC solution which allows the view client to access the F5 APM so that the smart card can be "initially" challenged. Within my NAC, ISE would supply an SGT (micro-segmentation) to my NAD which allows this activity to initially happen.

To complicate matters, I'd like to then do some type of Change of Authorization (CoA) feature which tells the NAD to flip the view client to a updated SGT once the identity has been validated - providing an entirely new access.

 

Is the F5 capable to providing Cisco ISE an update on the identity on the smart card so that the CoA can be done and my NAD's updated to supply updated access(Radius/PXGrid)?

 

Anyone do this type of solution or some similar?

 

Thanks.

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

F5 is not part of Security Technical Alliance Partners, so I do not think it exists any formal integration.

> ... the smart card can be "initially" challenged ....

Usually the challenge is out-of-band and part of the authentication but not a separate authentication.

I am not familiar this solution so I glanced through Deploying F5 with VMware View and Horizon View. From what I can tell, the connection server or the APM would be the "NAD" that a view client connects to. If a VDI instance is a standard PC/Mac with 802.1X supplicant and connecting to a data center switch interface enabled for multi-auth, then the switch would be the NAD for the VDI and please check F5 or VMware how the smart card info passed over to the VDI.

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

F5 is not part of Security Technical Alliance Partners, so I do not think it exists any formal integration.

> ... the smart card can be "initially" challenged ....

Usually the challenge is out-of-band and part of the authentication but not a separate authentication.

I am not familiar this solution so I glanced through Deploying F5 with VMware View and Horizon View. From what I can tell, the connection server or the APM would be the "NAD" that a view client connects to. If a VDI instance is a standard PC/Mac with 802.1X supplicant and connecting to a data center switch interface enabled for multi-auth, then the switch would be the NAD for the VDI and please check F5 or VMware how the smart card info passed over to the VDI.