08-13-2022 05:23 AM
Below are the customer requirement
1. VPN Authentication
2. BYOD WiFi
3. Guest WiFi
4. TACACS Authentication
Scenario: VPN Configured in Firepower and VPN user authentication will be done through Radius(ISE)
Question :1. For VPN User Authentication is Advantage license is enough??
2. Can we done INTRANET Access restriction policy for internet users or Vice Versa??
Solved! Go to Solution.
08-13-2022 09:03 PM
as ahollifield mentioned, just essential is needed for basic AAA, but having advantage is always good because it gives you additional features, you can see complete feature list of ISE licenses in section 2.1.2 here : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html
Since you mentioned TACACS, Keep in Mind for TACACS there are seperate license, called device administration license, this is on top of essential or advantage and you need to purchase 1 per ISE node that you will use for authentication.
you also mentioned BYOD - where you provision user bringing their own device for EAP-TLS using ISE as certificate authority, and onboard them, give them ability to manage their personal devices, you will need advantage license.
for second question, intranet user restriction to internet can be done by ISE using dynamic ACL or dynamic VLAN through ISE, however internet user (Non-VPN) access to intranet will be function of your Firepower not ISE.
08-13-2022 02:09 PM
08-13-2022 09:03 PM
as ahollifield mentioned, just essential is needed for basic AAA, but having advantage is always good because it gives you additional features, you can see complete feature list of ISE licenses in section 2.1.2 here : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html
Since you mentioned TACACS, Keep in Mind for TACACS there are seperate license, called device administration license, this is on top of essential or advantage and you need to purchase 1 per ISE node that you will use for authentication.
you also mentioned BYOD - where you provision user bringing their own device for EAP-TLS using ISE as certificate authority, and onboard them, give them ability to manage their personal devices, you will need advantage license.
for second question, intranet user restriction to internet can be done by ISE using dynamic ACL or dynamic VLAN through ISE, however internet user (Non-VPN) access to intranet will be function of your Firepower not ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide