Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2915
Views
5
Helpful
3
Replies

RA VPN (Any connect) password change using ISE and Active Directory

Go to solution
Philip Badhams
Level 1
Level 1

‎03-08-2021 04:19 AM

Hi All

I am trying to understand if it is possible to send password expiry notifications / reset password for RA VPN Users.

 

The current setup uses 2FA as follows:

1) User connects to FTD Outside Interface

2) The FTD passes the request via RADIUS to ISE

3) ISE, (which is integrated into Active Directry) queries the account via LDAP

4) ISE returns the result to the FTD

5) The FTD connects to the 2FA server and prompt the user for a token code.

6) The user is granted access.

 

My thinking is is not currently possible in the above setup as the FTD / FMC, does not talk directly to AD, instead it communicates via ISE.

 

I have been trying to follow the below configuration to test the theory

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/213905-configure-anyconnect-vpn-on-ftd-using-ci.html

 

What I cannot tell from the above guide is wether or not the ISE is required to integrate with Active Directory (as an external identity source) for it to work? The guide only shows setting up the realm in the FMC.

 

Any clarification would be appreciated.

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎03-08-2021 07:16 AM

Hi @Philip Badhams 

 yes, ISE is required to integrated with AD in External Identity Sources > Active Directory... on the link that you provided search for Cisco ISE, take a look at the screenshot related to RADIUS > Live Logs, look at the Steps, 24402 User Authentication against Active Directory succeeded.

 

Hope this helps !!!

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marcelo Morais
VIP
VIP

‎03-08-2021 07:16 AM

Hi @Philip Badhams 

 yes, ISE is required to integrated with AD in External Identity Sources > Active Directory... on the link that you provided search for Cisco ISE, take a look at the screenshot related to RADIUS > Live Logs, look at the Steps, 24402 User Authentication against Active Directory succeeded.

 

Hope this helps !!!

 

0 Helpful

Go to solution
Philip Badhams
Level 1
Level 1
In response to Marcelo Morais

‎03-15-2021 04:54 AM

Is there a reason why both FMC and ISE need to be connected to AD in the scenario? I cannot see where the FMC talks directly to AD. All the authentication requests appear to go from the FMC to ISE and then to AD.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Philip Badhams

‎03-16-2021 08:11 PM

Philip Badhams, I've not used FMC/FTD for RA-VPN yet but I believe it not required to integrate with AD if you are not using any objects from AD in the policies in FMC.

If you want to support password changes for AD users, then the VPN head-end needs using MSCHAPv2 to connect to ISE. 

Customers Also Viewed These Support Documents