cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1981
Views
0
Helpful
5
Replies

FTD SecurID authentication via ISE

dostorey
Level 1
Level 1

Hi

Just checking if my use case is possible.

I want to use ISE to handle an authentication request so that a user at my customer will go to a web page (presumably provided by ISE) to put in his/her credentials and get authenticated. Then, their status is evaluated in a firepower threat defense firewall ACL - if they are authenticated, they will be allowed through the firewall onto the customers process control network (PCN).  These users can be defined in AD or in ISE or LDAP (they'd prefer ISE, so they have control over how users are created). I am unsure of how we can provide usernames back to FMC so that they can be listed in ACLs. Normally, FMC expects AD or LDAP - does ISE present itself in this way?

Customer's use case is to not put AnyConnect on the client. Although they do have AnyConnect, they cannot enforce it's usage to the contractors and 3rd party vendors who need access to the PCN. The way their solution works today is that the user signs in to a web page and that mapping of IP<->Username is then evaluated in their Juniper firewalls. They would prefer if we could just emulate the way their user community does this today.

We can communicate to RSA either though RADIUS or SDI protocol. for our POC, we currently have a RADIUS connection.

thx Dominic

Message was edited by: Krishnan Thiruvengadam Dominic, This is a public site. So please refrain from using Customer name, Cisco ID, phone number and your personal information going forward. I have removed the customer name reference from the post above. Thanks Krishnan

1 Accepted Solution

Accepted Solutions

The short of it is that this scenario has not been tested.

There are a couple different options tossed around here.  One is option for a cut-thru proxy type setup.  If FTD has this capability, then would need option to perform auth via RADIUS.  Where the web portal is hosted is a separate topic.  ASA CTP had ability to pop a basic login window.  For ISE to support FTD as the web portal, then need to have LWA-type support on FTD.  In this scenario, a POST request would be sent for FTD to retrieve the user credentials entered via ISE portal.  These credentials are then used to perform RADIUS auth.  Yes, the two functions are distinct operations.  Today, I am only aware of Airespace WLC and Catalyst switches having the native support for this flow.  So question is whether FTD could perform redirect to external web portal that would handle the directives returned by ISE after redirect.

The second scenario cited was the ability to trigger a web auth after initial VPN auth.  Technically this may be possible as it is similar to Posture flow, but not tested.

Obviously this represents two different use cases -- one where the firewall is a remote access VPN gateway while the other the firewall is an inline enforcement device for LAN traffic.

/Craig

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee

ISE doesn’t have a hosted web page for this scenario

ASA clientless had this ability, not sure of FTD can do the same

Would recommend you reach out to them to see if they have same feature

Why can’t I use the guest portal page subsystem for this?

Dominic Storey

EMEA Technical Solutions Architect, Global Enterprise

dostorey@cisco.com<mailto:dostorey@cisco.com>

Phone: +44 20 8824 9444

Mobile: +44 7789 374 265

The guest portal works with radius sessions from ISE authenticated sessions

If FTD can provide redirect , Coa and radius sessions like the ASA does than this may work

Now that I think about it , the requirement is to first authenticate and authorize using a VPN session then you can direct to a guess portal. This is considered CWA chaining

Without a tunnel up and a radius session established with ISE Then I don’t think this is possible

The short of it is that this scenario has not been tested.

There are a couple different options tossed around here.  One is option for a cut-thru proxy type setup.  If FTD has this capability, then would need option to perform auth via RADIUS.  Where the web portal is hosted is a separate topic.  ASA CTP had ability to pop a basic login window.  For ISE to support FTD as the web portal, then need to have LWA-type support on FTD.  In this scenario, a POST request would be sent for FTD to retrieve the user credentials entered via ISE portal.  These credentials are then used to perform RADIUS auth.  Yes, the two functions are distinct operations.  Today, I am only aware of Airespace WLC and Catalyst switches having the native support for this flow.  So question is whether FTD could perform redirect to external web portal that would handle the directives returned by ISE after redirect.

The second scenario cited was the ability to trigger a web auth after initial VPN auth.  Technically this may be possible as it is similar to Posture flow, but not tested.

Obviously this represents two different use cases -- one where the firewall is a remote access VPN gateway while the other the firewall is an inline enforcement device for LAN traffic.

/Craig