VPN remote access - dual authentication with same ISE

peter-marcek · ‎06-04-2018

Hello,

is it possible to use same ISE as primary and secondary authentication server (using different identity source) in tunnel-group config?

For exmaple first authentication against ISE internal database and second against Radius Token server...

Thanks for answers.

Peter

peter-marcek · ‎06-04-2018

And I forgot to mention that username is same for both authentications

Timothy Abbott · ‎06-05-2018

Hi,

I had an internal conversation about this and don't believe this is a supported configuration because we don't see a way for ISE be the first authentication then set itself as the token server. You would need another token server for this configuration to work properly.

Regards,

-Tim

peter-marcek · ‎06-05-2018

Hi Tim,

we have setup:

ASA -- ISE -- Gemalto OTP server

And idea was use ISE server as a single point of contact from ASA. For both primary and secondary authentication.

primary - ISE internal database

secondary - Gemalto OTP with ISE as Radius "proxy"

Username will be the same for both identities.

If ASA be able to send some Radius attributes to ISE for recognition between primary and secondary authentication....

Then ISE can use this attribute for Identity Store selection

hslai · ‎06-07-2018

ISE at present supports two dual authentications -- EAP Chaining and CWA Chaining. Neither applies to VPN. The likely options for you are:

1. Continuing with ASA doing two authentications -- first to OTP and 2nd to ISE

2. Using ISE but OTP for auth and Internal Users for authorization.