cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1923
Views
4
Helpful
3
Replies
welchari
Cisco Employee

Microsoft Direct Access VPN Interoperability

Dear TME,

I need to know about Compatibility of Microsoft Direct Access VPN along with Cisco ISE & Cisco any connect.

I could not find alot of data about it. So :

1- Can ISE see the Microsoft direct access VPN server as a NAD & communicate with it via Radius & Issue COA?

2- Can anyconnect coexist with the Microsoft direct access VPN agent to do the posture part only?

Kindly do share more details or links about this.

Thanks,

Wissam

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

I am pretty sure that Microsoft direct access doesn't act like a traditional VPN service like anyconnect where you would bring up a tunnel and be required to do posture and then do a COA after posture is complete. Regardless only cisco VPNs support COA

Therefore there is no integration or co-existence.

Microsoft DirectAccess: An Overview


Added our VPN SME as well to keep me honest

pcarco

View solution in original post

3 REPLIES 3
Jason Kunst
Cisco Employee

I am pretty sure that Microsoft direct access doesn't act like a traditional VPN service like anyconnect where you would bring up a tunnel and be required to do posture and then do a COA after posture is complete. Regardless only cisco VPNs support COA

Therefore there is no integration or co-existence.

Microsoft DirectAccess: An Overview


Added our VPN SME as well to keep me honest

pcarco

View solution in original post

Hello Wissam & Jason,

Microsoft Direct Access is a Machine Tunnel and uses a certificate to achieve this tunnel - there is no user auth    The tunnel is established by the machine and not the user which is completely different than AnyConnect. 

CoA requires Radius for the AuthN  or AuthZ so an endpoint with Direct Access is not going to work with ISE the way AnyConnect / System Scan and ISE integrate for CoA.

No, it can not co-exist the way you describe if the user is remote then then AnyConnect must establish the tunnel to the ASA and Auth to ISE. 

Best regards,

Paul

welchari
Cisco Employee

Thanks alot guys for the helpful answers.

Content for Community-Ad

This widget could not be displayed.