Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
5
Helpful
2
Replies

Identity Service Engine VPN Information

Go to solution
somnath.c
Level 1
Level 1

‎08-13-2022 05:23 AM

Below are the customer requirement

1. VPN Authentication
2. BYOD WiFi
3. Guest WiFi
4. TACACS Authentication

Scenario: VPN Configured in Firepower and VPN user authentication will be done through Radius(ISE)

Question :1. For VPN User Authentication is Advantage license is enough??
2. Can we done INTRANET Access restriction policy for internet users or Vice Versa??

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ammahend
VIP
VIP

‎08-13-2022 09:03 PM

as ahollifield mentioned, just essential is needed for basic AAA, but having advantage is always good because it gives you additional features, you can see complete feature list of ISE licenses in section 2.1.2 here : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

Since you mentioned TACACS, Keep in Mind for TACACS there are seperate license, called device administration license, this is on top of essential or advantage and you need to purchase 1 per ISE node that you will use for authentication.

you also mentioned BYOD - where you provision user bringing their own device for EAP-TLS using ISE as certificate authority, and onboard them, give them ability to manage their personal devices, you will need advantage license.

for second question, intranet user restriction to internet can be done by ISE using dynamic ACL or dynamic VLAN through ISE, however internet user (Non-VPN) access to intranet will be function of your Firepower not ISE.

-hope this helps-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ahollifield
VIP
VIP

‎08-13-2022 02:09 PM

  1. Yes, Essentials is actually enough here.
  2. Yes.

Go to solution
ammahend
VIP
VIP

‎08-13-2022 09:03 PM

as ahollifield mentioned, just essential is needed for basic AAA, but having advantage is always good because it gives you additional features, you can see complete feature list of ISE licenses in section 2.1.2 here : https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html

Since you mentioned TACACS, Keep in Mind for TACACS there are seperate license, called device administration license, this is on top of essential or advantage and you need to purchase 1 per ISE node that you will use for authentication.

you also mentioned BYOD - where you provision user bringing their own device for EAP-TLS using ISE as certificate authority, and onboard them, give them ability to manage their personal devices, you will need advantage license.

for second question, intranet user restriction to internet can be done by ISE using dynamic ACL or dynamic VLAN through ISE, however internet user (Non-VPN) access to intranet will be function of your Firepower not ISE.

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents