02-14-2020 06:51 AM - edited 02-14-2020 08:10 AM
Hello community,
I plan to deploy an architecture as follow :
Anyconnect client<====IPSEC tunnel====> firepower with ASDM<=> ISE + external authentication provider
I am relatively new on ISE and I am trying to understand all interactions between components.
The solution should handle theses multiple authentications :
- machine certificate
- user certificate or credential
- external identity provider for second user authentication (ex: OTP)
1)My first (pre)question is about ISE version. Which is the recommended version to deploy for a fresh new install ?
Version 2.7 has been released since Q4 2019. There are a lot of changes and specially MnT database optimizations. But this version is relatively new.
2) Regarding authentication, I understand that machine certificate is normally used for tunnel establishment. The Firepower then forwards user authentication to ISE. ISE can contact an AD or Radius for first user authentication.
I look at the use case IPSEC with duo. A DUO (or another identity provider) authentication proxy seems mandatory to handle second authentication. Regarding ISE capabilities, I would like to not use an authentication proxy for second authentication.
I have seen in ISE 2.6 admin guide that we can define an SAML IdP as external identity source.
Does ISE can handle SAML requests for second authentication in a use case with anyconnect client IPSEC tunnel and firepower as IPSEC termination ?
And if so, could you describe the authentications steps ? (user portal needed? which component asks external IdP? (firepower, ise,..?)
K.
Solved! Go to Solution.
02-16-2020 07:42 PM
1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.
2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:
Guest portal (sponsored and self-registered)
Sponsor portal
My Devices portal
Certificate Provisioning portal
Cheers,
Greg
02-16-2020 07:42 PM
1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.
2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:
Guest portal (sponsored and self-registered)
Sponsor portal
My Devices portal
Certificate Provisioning portal
Cheers,
Greg
02-20-2020 08:32 PM
Adding to Greg's...
Duo is mainly cloud-based so auth proxy required to get OTP authenticated. Thus, you may opt for an on-prem OTP provider, instead.
02-24-2020 01:29 AM
Thank you Greg and hslai (and sorry for my late response).
Ok for ISE version 2.6.
For second user authentication, I would like to try avoid the use of a proxy between ISE and external authentication source.
Our cloud provider allows radius or https requests to get push mobile. Proxy radius is used to encapsulate radius request in https flow (more reliable than direct radius request on Internet). That's why I think to SAML.
But according to your answers, I need a proxy.
I am still not familiar with ISE authentications mechanisms.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: