cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1492
Views
5
Helpful
3
Replies

ISE as dedicated radius

suthomas1
Level 6
Level 6

Hello,

for one of our projeccts, we are looking at using ise as radius primarily for VPN users.

now, what is the case for spending on ISE instead of directly getting ASA firewall talk to MS active directory or ldap.

After all ISE will only be facilatiting communication between asa & active directory for user authentication.

Appreciate  all inputs.thanks.

1 Accepted Solution

Accepted Solutions

alex_dufresne
Level 1
Level 1

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.

View solution in original post

3 Replies 3

alex_dufresne
Level 1
Level 1

If you're only looking for using LDAP accounts for your logins, then ISE does not bring much to the table.

 

The biggest advantage that you'll get is that you can manage your policies much more effectively in ISE than using ldap attribute-map on the ASA.

 

Moreover, ISE allows you to more effectively build your policy and to expand your identity control to other solutions that do not natively support LDAP authentication/authorization.For example, if you have a multi-vendor network or if you want to implement Duo two-factor authentication with Duo Prompt, RADIUS is the best option.


Thank you.

there was also a discussion of using windows nps instead of dedicated radius solutions(eg. ISE).

I have not used windows nps before & have no idea on how good/bad it is for a vpn scenario?

 

Additionally,i also heard that having the asa directly talk to ldap or windows nps is not considered best security.

 

Appreciate inputs.

Our team can't comment on any 3rd-party products. I would suggest you to test it yourself and consult the vendor's support if running any issue.

The main issue with connecting AD using an LDAP interface is that it does not scale well. In case you have only one domain controller and one ASA, then it's likely simpler for you to connect ASA directly to AD via LDAP.