Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4065
Views
0
Helpful
3
Replies

VDI compatibility with Cisco ISE

Go to solution
alim1
Level 1
Level 1

‎02-13-2019 08:18 AM

Hello, i need to ask if there is a compatibility between cisco ISE and the VDI solution. If yes, how I will deal with the VDI solution. What are the problems that i may face?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to alim1

‎02-14-2019 09:01 AM

What are you trying to accomplish? Since you usually authenticate the users via AD to access the VDI infrastructure, what more do you want? ISE is more than capable of authenticating users, but it has no direct integration with VDI. ISE is available to authenticate when you send authentication requests to it via RADIUS.

If you're trying to provide differentiated access to the VDI VM's then it will rely on the ability to install a supplicant in the VDI VM's, and having a vswitch that is capable of performing or proxying 802.1x. This document is old but it explains the concept with TrustSec in a diagram mid way down the page. If you have a TrustSec environment then it could make sense to add another layer of authentication to differentiate network access.
https://blogs.cisco.com/enterprise/using-trustsec-to-simplify-virtual-desktop-infrastructure-vdi-deployment

If you don't need the differentiation on the network that TrustSec provides, then using two factor authentication while the user is logging in might be the better path. The secondary authentication option on VDI could be pointed to ISE, DUO, RSA, Google Authenticator. ISE can't be used as the primary authenticator to the VDI infrastructure, it can only be set up via RADIUS multi factor. If you are using user credentials and not tokens, then you won't gain any extra security sending user credentials again to ISE after AD already authenticated them. There is a guide on the VMware site.
https://blogs.vmware.com/consulting/files/2015/02/VMW_15Q1_TD_Horizon-View-Google-Authenticator_021715_FINAL_EMonjoin.pdf

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-13-2019 08:49 AM

Similar to issues you would face with any wired/wireless desktop infrastructure, you have a client machine that you want to authenticate to the physical network. There would be no change here and it could be something like a thin client, windows notebook or macbook.

The piece that you don't provide any details on is what goals you have on the VDI side. Traditionally the VDI infrastructure is sitting in a data center and access control is handled by the directory and firewalls. If you want to add differentiated access on the back end of a VDI server it complicates things. One thing we piloted in the past was statically tagging user traffic to/from different VDI clusters. Letting the TrustSec policy handle a high level access restriction. It was not an elegant solution but in the end it did accomplish the goal of logically separating users between clusters. As the saying goes, there is more than one way to skin a cat.
0 Helpful

Go to solution
alim1
Level 1
Level 1
In response to Damien Miller

‎02-14-2019 07:21 AM

Hello,

Thank you for your reply, as i know that VDI rely on User-Identity as authentication. Does Cisco ISE handle this feature, it is applicable to authenticate user using their User-ID.

Best Regards
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to alim1

‎02-14-2019 09:01 AM

What are you trying to accomplish? Since you usually authenticate the users via AD to access the VDI infrastructure, what more do you want? ISE is more than capable of authenticating users, but it has no direct integration with VDI. ISE is available to authenticate when you send authentication requests to it via RADIUS.

If you're trying to provide differentiated access to the VDI VM's then it will rely on the ability to install a supplicant in the VDI VM's, and having a vswitch that is capable of performing or proxying 802.1x. This document is old but it explains the concept with TrustSec in a diagram mid way down the page. If you have a TrustSec environment then it could make sense to add another layer of authentication to differentiate network access.
https://blogs.cisco.com/enterprise/using-trustsec-to-simplify-virtual-desktop-infrastructure-vdi-deployment

If you don't need the differentiation on the network that TrustSec provides, then using two factor authentication while the user is logging in might be the better path. The secondary authentication option on VDI could be pointed to ISE, DUO, RSA, Google Authenticator. ISE can't be used as the primary authenticator to the VDI infrastructure, it can only be set up via RADIUS multi factor. If you are using user credentials and not tokens, then you won't gain any extra security sending user credentials again to ISE after AD already authenticated them. There is a guide on the VMware site.
https://blogs.vmware.com/consulting/files/2015/02/VMW_15Q1_TD_Horizon-View-Google-Authenticator_021715_FINAL_EMonjoin.pdf
0 Helpful
Customers Also Viewed These Support Documents