Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1827
Views
3
Helpful
6
Replies

Support for 3rd party VPN concentrator with ISE 2.2

Go to solution
Jimi
Level 1
Level 1

‎09-06-2017 06:12 AM

Hi All,

May I confirm that currently the supported use-case for 3rd party VPN concentrator are only for AAA services if they are able to support these radius attributes:

AAA Attributes for Third-Party VPN Concentrators

For VPN concentrators to integrate with Cisco ISE, the following authentication, authorization, and accounting (AAA) attributes should be included in the RADIUS communication:

  • Calling-Station-ID (tracks individual client by MAC or IP address)
  • User-Name (tracks remote client by login name)
  • NAS-Port-Type (helps to determine connection type as VPN)
  • RADIUS Accounting Start (triggers official start of session)
  • RADIUS Accounting Stop (triggers official end of session and releases ISE license)
  • RADIUS Accounting Interim Update on IP address change (for example, SSL VPN connection transitions from Web-based to a full-tunnel client)

Note For VPN devices, the RADIUS Accounting messages must have the Framed-IP-Address attribute set to the client’s VPN-assigned IP address to track the endpoint while on a trusted network.

Profiling and Posture on 3rd party VPN concentrator (e.g. checkpoint or juniper) are not available with ISE 2.2 currently?

Best Regards,

Jimmy

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-11-2017 04:29 PM

You are correct.

Craig said,

We can integrate as a standard AAA server for RADIUS services, but comprehensive support for services like Posture/MDM are currently limited due to lack of CoA support on the 3rd-party VPN gateway.


... Make sure NAD Profile has Juniper dictionary loaded if not using default Juniper NAD profile.


View solution in original post

6 Replies 6

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-11-2017 04:29 PM

You are correct.

Craig said,

We can integrate as a standard AAA server for RADIUS services, but comprehensive support for services like Posture/MDM are currently limited due to lack of CoA support on the 3rd-party VPN gateway.


... Make sure NAD Profile has Juniper dictionary loaded if not using default Juniper NAD profile.


Go to solution
dngore
Cisco Employee
Cisco Employee
In response to hslai

‎05-08-2018 04:07 AM

Hi,

Is it same status for third party VPN concentrator? We are doing PoC for bank customer. They have Juniper firewall where VPN clients terminate. Customer wants to have authentication and posture verification for VPN clients.

Is it possible with ISE 2.4 and Juniper firewall?

Can't we use inline PSN solution that we used for Cisco ASA previously?

Regards,

D.M.Gore

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dngore

‎05-08-2018 04:15 AM

Please see the answer it mentions juniper firewall, not sure of your question seems like already answered?

0 Helpful

Go to solution
dngore
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎05-08-2018 07:28 AM

Yes, I do understand third party devices do not support CoA, hence can't have posture support. But can't we use inline ISE PSN node to support device with CoA support?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to dngore

‎05-09-2018 06:42 AM

The last ISE release supporting an inline posture node is of ISE 1.4.

Features Not Supported in Cisco ISE, Release 2.0

Inline Posture Node (IPN / iPEP)

0 Helpful

Go to solution
Jimi
Level 1
Level 1

‎09-27-2017 09:30 AM

Understood. Thank you

0 Helpful
Customers Also Viewed These Support Documents