Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


[ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

Hello community,

I plan to deploy an architecture as follow :
Anyconnect client<====IPSEC tunnel====> firepower with ASDM<=> ISE + external authentication provider
I am relatively new on ISE and I am trying to understand all interactions between components.

The solution should handle theses multiple authentications :
- machine certificate
- user certificate or credential
- external identity provider for second user authentication (ex: OTP)

1)My first (pre)question is about ISE version. Which is the recommended version to deploy for a fresh new install ?
Version 2.7 has been released since Q4 2019. There are a lot of changes and specially  MnT database optimizations. But this version is relatively new.

2) Regarding authentication, I understand that machine certificate is normally used for tunnel establishment. The Firepower then forwards user authentication to ISE. ISE can contact an AD  or Radius for first user authentication.
I look at the use case IPSEC with duo. A DUO (or another identity provider) authentication proxy seems mandatory to handle second authentication. Regarding ISE capabilities, I would like to not use an authentication proxy for second authentication.

I have seen in ISE 2.6 admin guide that we can define an SAML IdP as external  identity source.
Does ISE can handle SAML requests for second authentication in a use case with anyconnect client IPSEC tunnel and firepower as IPSEC termination ?
And if so, could you describe the authentications steps ? (user portal needed? which component asks external IdP? (firepower, ise,..?)


Cisco Employee

Re: [ISE and anyconnect] ISE version and MFA with ipsec anyconnect tunnels and firepower

1. ISE 2.6 is currently the Cisco Suggested release based on software quality, stability and longevity. ISE 2.7 would only be recommended if you require a new feature implemented in that version.


2. As noted in the ISE Admin Guide, SAML IdP is only supported for portal-based authentication for the following ISE Portals:

  • Guest portal (sponsored and self-registered)

  • Sponsor portal

  • My Devices portal

  • Certificate Provisioning portal