Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
3
Replies

ISE support for VPN users

jinapark
Cisco Employee
Cisco Employee

‎03-14-2018 02:31 AM

Hello Experts!

My customer wants to VPN user AAA using AD+OTP and management approval.

- This is for VPN solution only and applied to all devices including personal devices (laptop, iPad etc) and company-owned device (laptop)

- The approval process from management needs to be done every time of VPN access. Currently, they have VPN solution with AD auth and OTP. They need an extra layer of security with management approval before establishing VPN connection.

What I understand is, the customer can do it RSA-AD authentication and there’s no way we can combine management approval on top of it. Does anyone know if we can combine management approval feature with other methods like AD, RSA, LDAP etc? I only could see that management approval is supported for guest service that self-registered guest request will be sent to the sponsor for approval, and we can't combine it with AD or OTP service, but I would like to check if there's any method we can work around.

Any comments or design would be highly appreciated!

Regards,

Jina

0 Helpful
3 Replies 3

gbekmezi-DD
Level 5
Level 5

‎03-14-2018 11:27 AM

This is an odd request. I don’t see how ISE can help you with this. One way you could accomplish this is by creating a portal/web page for the VPN request. Have that page send an email or text to the manager. Then the manager clicks on a link that adds the requestor to a VPN approved group for some amount of time (maybe 10 minutes). Then you can authorize the user based on group membership.

George

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎03-14-2018 08:48 PM

I agreed with George.

ASA supports multiple authentications so it's possible to have an OTP that only managers have access to and for them to provide the passcodes to the VPN users. Or, some MFA with one factor to send SMS or the like to the managers to accept the requests.

0 Helpful

paul
Level 10
Level 10

‎03-15-2018 06:30 AM

Just to add to what has already been said.  You could craft something with REST API integration as well, but it seems like you are trying to solve what is a non-technical problem. 

A person just doesn't get an RSA token on their own.  The customer has no management approval required to hand out RSA tokens?

A person doesn't automatically get added to the AD group required for VPN access.  The customer has no management approval required to get added to the AD group required for VPN access?

0 Helpful
Customers Also Viewed These Support Documents