cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

392
Views
5
Helpful
3
Replies
Highlighted
Frequent Contributor

ISE as dedicated radius

Hello,

for one of our projeccts, we are looking at using ise as radius primarily for VPN users.

now, what is the case for spending on ISE instead of directly getting ASA firewall talk to MS active directory or ldap.

After all ISE will only be facilatiting communication between asa & active directory for user authentication.

Appreciate  all inputs.thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ISE as dedicated radius

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Re: ISE as dedicated radius

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

View solution in original post

Highlighted
Frequent Contributor

Re: ISE as dedicated radius


Thank you.

there was also a discussion of using windows nps instead of dedicated radius solutions(eg. ISE).

I have not used windows nps before & have no idea on how good/bad it is for a vpn scenario?

 

Additionally,i also heard that having the asa directly talk to ldap or windows nps is not considered best security.

 

Appreciate inputs.

Highlighted
Cisco Employee

Re: ISE as dedicated radius

Our team can't comment on any 3rd-party products. I would suggest you to test it yourself and consult the vendor's support if running any issue.

The main issue with connecting AD using an LDAP interface is that it does not scale well. In case you have only one domain controller and one ASA, then it's likely simpler for you to connect ASA directly to AD via LDAP.