12-15-2016 07:15 AM
Have customer that is using a 3rd party radius server to determine LDAP group membership as an attribute to see if VPN access is authorized before authenticating against an OTP.
Sequence is as follows:
User connects with username and OTP password, VPN concentrator sends credentials to Radius server
Radius server takes username and does LDAP lookup to see if user is a member of VPN-Allowed group
If user is not a member, Radius server returns access-reject
If user is allowed, Radius server then bounces password off of radius-based OTP
If OTP is correct, Radius server returns access accept and several LDAP attibrutes from the user's record to VPN concentrator
This scenario uses authorization (group membership) as the method to verify if the user is allowed VPN before it does authentication against the OTP. And then returns LDAP attributes inside the radius packet if authc/authz is successful. AuthZ from LDAP and AuthC from OTP
Is this scenario possible with ISE?
12-15-2016 09:03 AM
Any specific reason to follow the flow sequence exactly like that?
At present, ISE by itself will always perform authentications first before going on with authorizations. ASA supports multiple authentications so I would suggest to contact ASA support teams and see ASA able to perform authorization only in the first auth before going on with real authentication in the 2nd auth.
12-15-2016 02:18 PM
This configuration is already in place using Juniper Concentrator and Juniper SBR. User connects to Juniper and enters in their username/OTP. Juniper forwards to SBR, SBR queries LDAP and if group is correct, then bounces OTP password off of OTP server. If valid, SBR returns attributes to the concentrator. The customer is looking to replace SBR with ISE if use case is supported. I believe the order of operations (Authz/AuthC) does not matter. I just need ISE to pull user attributes from one credential store and validate the password from another credential store. That's what the customer has in place now.
12-15-2016 02:30 PM
You are correct that ISE should be able to achieve the same results in retrieving LDAP attributes, as long as the sequence does not matter.
12-15-2016 04:33 PM
Light went on. Thanks for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide