cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
0
Helpful
3
Replies

[ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

Kris Tof
Level 1
Level 1

Hello community,

I plan to deploy an architecture as follow :
Anyconnect client<====IPSEC tunnel====> firepower with ASDM<=> ISE + external authentication provider
I am relatively new on ISE and I am trying to understand all interactions between components.

The solution should handle theses multiple authentications :
- machine certificate
- user certificate or credential
- external identity provider for second user authentication (ex: OTP)


1)My first (pre)question is about ISE version. Which is the recommended version to deploy for a fresh new install ?
Version 2.7 has been released since Q4 2019. There are a lot of changes and specially  MnT database optimizations. But this version is relatively new.

2) Regarding authentication, I understand that machine certificate is normally used for tunnel establishment. The Firepower then forwards user authentication to ISE. ISE can contact an AD  or Radius for first user authentication.
I look at the use case IPSEC with duo. A DUO (or another identity provider) authentication proxy seems mandatory to handle second authentication. Regarding ISE capabilities, I would like to not use an authentication proxy for second authentication.

I have seen in ISE 2.6 admin guide that we can define an SAML IdP as external  identity source.
Does ISE can handle SAML requests for second authentication in a use case with anyconnect client IPSEC tunnel and firepower as IPSEC termination ?
And if so, could you describe the authentications steps ? (user portal needed? which component asks external IdP? (firepower, ise,..?)

K.

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.

 

2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:

  • Guest portal (sponsored and self-registered)

  • Sponsor portal

  • My Devices portal

  • Certificate Provisioning portal

Cheers,

Greg

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.

 

2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:

  • Guest portal (sponsored and self-registered)

  • Sponsor portal

  • My Devices portal

  • Certificate Provisioning portal

Cheers,

Greg

hslai
Cisco Employee
Cisco Employee

Adding to Greg's...

Duo is mainly cloud-based so auth proxy required to get OTP authenticated. Thus, you may opt for an on-prem OTP provider, instead.

Kris Tof
Level 1
Level 1

Thank you Greg and hslai (and sorry for my late response).

Ok for ISE version 2.6.

 

For second user authentication, I would like to try avoid the use of a proxy between ISE and external authentication source.

Our cloud provider allows radius or https requests to get push mobile. Proxy radius is used to encapsulate radius request in https flow (more reliable than direct radius request on Internet). That's why I think to SAML.

But according to your answers, I need a proxy.

I am still not familiar with ISE authentications mechanisms.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: