I have a requirement where ISE needs to do Profiling and Posturing for VPN endpoints using PAN's GlobalProtect, I want your opinion on how to support Posturing and Profiling for VPN users connecting to the network using PAN's GlobalProtect. I have an assumption on the following info which I got from a Cisco Engineer.
Palo Alto does not support RADIUS CoA (Change of Authorization) [RFC-3576]. As a result, most advanced ISE features (Posture, BYOD, Profiling, etc) on VPN would not be supported when integrating with PAN
PAN does support standard RADIUS attributes. As a result, we can perform basic RADIUS based authentication for RA-VPN clients
PAN does support both RADIUS and TACACS+ for device administration. Thus, ISE can be configured to provide AAA services for PAN based administrators
Currently that is correct. Without a way to trigger CoA, then user may be deemed posture compliant but no way to reauthorize after initial quarantine without manual intervention by user.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
