cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3166
Views
5
Helpful
3
Replies

RA VPN (Any connect) password change using ISE and Active Directory

Philip Badhams
Level 1
Level 1

Hi All

I am trying to understand if it is possible to send password expiry notifications / reset password for RA VPN Users.

 

The current setup uses 2FA as follows:

1) User connects to FTD Outside Interface

2) The FTD passes the request via RADIUS to ISE

3) ISE, (which is integrated into Active Directry) queries the account via LDAP

4) ISE returns the result to the FTD

5) The FTD connects to the 2FA server and prompt the user for a token code.

6) The user is granted access.

 

My thinking is is not currently possible in the above setup as the FTD / FMC, does not talk directly to AD, instead it communicates via ISE.

 

I have been trying to follow the below configuration to test the theory

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

 

What I cannot tell from the above guide is wether or not the ISE is required to integrate with Active Directory (as an external identity source) for it to work? The guide only shows setting up the realm in the FMC.

 

Any clarification would be appreciated.

 

Thanks

1 Accepted Solution

Accepted Solutions

Hi @Philip Badhams 

 yes, ISE is required to integrated with AD in External Identity Sources > Active Directory... on the link that you provided search for Cisco ISE, take a look at the screenshot related to RADIUS > Live Logs, look at the Steps, 24402 User Authentication against Active Directory succeeded.

 

Hope this helps !!!

 

View solution in original post

3 Replies 3

Hi @Philip Badhams 

 yes, ISE is required to integrated with AD in External Identity Sources > Active Directory... on the link that you provided search for Cisco ISE, take a look at the screenshot related to RADIUS > Live Logs, look at the Steps, 24402 User Authentication against Active Directory succeeded.

 

Hope this helps !!!

 

Is there a reason why both FMC and ISE need to be connected to AD in the scenario? I cannot see where the FMC talks directly to AD. All the authentication requests appear to go from the FMC to ISE and then to AD.

Philip Badhams, I've not used FMC/FTD for RA-VPN yet but I believe it not required to integrate with AD if you are not using any objects from AD in the policies in FMC.

If you want to support password changes for AD users, then the VPN head-end needs using MSCHAPv2 to connect to ISE.