Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

SiJian Bao

VDI Access Control with ISE

Hi Guys,

Can ISE do the Access Control for the VDI users with thinclients like PCs? Now we wanna to setup the 802.1x authentication for the VDI users, but i'm not sure if this can be done by ISE. Do we just need to configure the access switch ports to open 802.1x as usual and the switch then will relay the radius to ISE?



I deployed an ASA firewall running the Identity-based feature between a VDI desktop pool and the rest of the internal network. I am now able to restrict access to the internal network from the VDI network based on both AD user and group. The results of testing so far are very good. I have yet to see an issue with the setup.

I am referencing AD groups in the ASA access-list so I don't have to update them when a new user is added to a department that needs a common access policy. Access is updated by the domain admin when they add and remove users from the AD group that is referenced in the access-list.


ASA firewall 8.4 or later

Cisco Context Directory Agent (VMware appliance with HTTPS interface)

Domain Controllers

Thank you,



I'm dealing with a similar project and I would like to know if is it possible to do with Cisco appliances/solution something like fortinet example below:



Looks like the identity-based firewall functionality I had discussed in this thread. It was a great solution for my project.

As I understand, Citrix VDI create a situation like NAT do, because Firewall will still see just the same MAC+IP. How could the firewall understand the diference? I can not understand how your solution using Anyconnect could help or maybe you did not understand my situation.

I think that since Citrix give a range of ports to each remote user accessing VDI enviroment, the Local Agent installed in the XEN Server give to the Fortinet firewall those ports information and based on it can control connection access.

Maybe the only solution would be using Firewall with clientless VPN to control access to VDI, but I´m not sure if it would be the better solution...


You are right if it is using the same IP+MAC, then I don't think the identity-based firewall feature of the ASA will work for you unless you can set the Citrix VDI to use DHCP to give a unique IP for each desktop.

This is how it worked with vmware::

1. Single VDI pool with a unique IP for each desktop assigned by DHCP on the same subnet.

2. User logs in to floating desktop and Windows login server is updated with username and IP

3. Cisco Directory Agent (CDA) gets the username/IP mapping from Windows login server.

4. Cisco ASA is configured to allow access based on Windows AD group X.

5. ASA gets username/IP mapping from CDA and checks AD directly for group assignment.

6. ASA enforces access policy on the IP that is currently used by the user of group X. Users of groups Y and Z would have different policies.

NOTE: Anyconnect is not used with identity-based firewall for Windows devices. If used for 802.1x (wired or wireless) or any other supplicant, it does allow Identity-based firewall to work with non-windows devices. If Cisco would only enhance RA VPN to work when using ISE authentication with windows domain detection or assignment, it would be a complete identity-based solution. RA VPN can work if authenticating directly with AD.



Thank you for your effort and patience to help me understand the flow, but I think the trick here is DHCP assigning to give to the floating desktop an unique IP+MAC. My customer design looks like a simple Windows Terminal Desktop access.

Before giving up this project opportunity using Cisco appliances, I will search more about Citrix configuration to figure out if it is or not possible to configure something like vmware explanained by you, cause I´m sure my customer have no idea about it.

Anyway, tks again for your time and I gave you 5 stars for it.




Content for Community-Ad