Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13088
Views
10
Helpful
6
Replies

Palo Alto & Cisco ISE Integration

Go to solution
Jason Weids
Level 1
Level 1

‎11-09-2018 03:13 AM - edited ‎02-21-2020 11:02 AM

We are looking for a way to apply our ISE policies to users connecting to our global protect VPN. The objective is to authenticate the user & identify is they are using a trusted device i.e. a domain machine or a device that is a member of an identity group. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Surendra

‎11-10-2018 10:12 AM

ISE is a RADIUS server, you can use this with any product that supports standard RADIUS implementation. That said, you need to make sure for your use case the Palo Alto product supports it. I know with ASA and Anyconnect you can send machine credentials.

https://community.cisco.com/t5/policy-and-access/vpn-machine-authentication/td-p/3200088

If you are trying to do two factor authentication then ASA supports two different way to authenticate users using VPN tunnel groups one of which could be ISE. Please look at offcampus use cases given below.

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-09-2018 11:21 AM

I believe you are talking about authenticating VPN users using ISE as a RADIUS server and check if the user is an authentic user and also the machine on which he is on. For VPN authentication, ISE will not know the machine from which the VPN is being done on especially when you are using a third party firewall and software as they would simply send a RADIUS request with the credentials that the user enters. Only user can be authenticated and provisioned access accordingly in this case.

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Surendra

‎11-10-2018 10:12 AM

ISE is a RADIUS server, you can use this with any product that supports standard RADIUS implementation. That said, you need to make sure for your use case the Palo Alto product supports it. I know with ASA and Anyconnect you can send machine credentials.

https://community.cisco.com/t5/policy-and-access/vpn-machine-authentication/td-p/3200088

If you are trying to do two factor authentication then ASA supports two different way to authenticate users using VPN tunnel groups one of which could be ISE. Please look at offcampus use cases given below.

https://community.cisco.com/t5/security-documents/two-factor-authentication-on-ise-2fa-on-ise/ta-p/3636120

 

0 Helpful

Go to solution
manvik
Level 3
Level 3

‎03-21-2021 10:13 PM

anyone got this working ? PA Globalprotect with ISE posture.

Go to solution
hp.netwroking@kapitalbank.az
Level 1
Level 1
In response to manvik

‎07-29-2024 06:22 AM

how its ended for you ?

0 Helpful

Go to solution
manvik
Level 3
Level 3
In response to hp.netwroking@kapitalbank.az

‎07-29-2024 09:21 PM

Globalprotect with ISE posture is not possible. ISE needs anyconnect agent for posturing.

0 Helpful

Go to solution
hp.netwroking@kapitalbank.az
Level 1
Level 1
In response to manvik

‎07-29-2024 10:04 PM

Yes, I mean Anyconnect used for posture, but laptop can still have a global protect on it, so I wonder if both of them on one laptop worked for you and if you had any problems with it? I personally see posture works incorrectly when Global protect available 

 

0 Helpful
Customers Also Viewed These Support Documents