Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
5
Helpful
3
Replies

ISE as dedicated radius

Go to solution
suthomas1
Level 6
Level 6

‎11-03-2019 02:33 AM

Hello,

for one of our projeccts, we are looking at using ise as radius primarily for VPN users.

now, what is the case for spending on ISE instead of directly getting ASA firewall talk to MS active directory or ldap.

After all ISE will only be facilatiting communication between asa & active directory for user authentication.

Appreciate  all inputs.thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alex_dufresne
Level 1
Level 1

‎11-03-2019 03:38 AM

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

View solution in original post

3 Replies 3

Go to solution
alex_dufresne
Level 1
Level 1

‎11-03-2019 03:38 AM

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

Go to solution
suthomas1
Level 6
Level 6
In response to alex_dufresne

‎11-03-2019 02:28 PM

Thank you.

there was also a discussion of using windows nps instead of dedicated radius solutions(eg. ISE).

I have not used windows nps before & have no idea on how good/bad it is for a vpn scenario?

 

Additionally,i also heard that having the asa directly talk to ldap or windows nps is not considered best security.

 

Appreciate inputs.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to suthomas1

‎11-08-2019 09:53 AM

Our team can't comment on any 3rd-party products. I would suggest you to test it yourself and consult the vendor's support if running any issue.

The main issue with connecting AD using an LDAP interface is that it does not scale well. In case you have only one domain controller and one ASA, then it's likely simpler for you to connect ASA directly to AD via LDAP.

0 Helpful
Customers Also Viewed These Support Documents