Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4534
Views
0
Helpful
3
Replies

FTD remote access VPN with ISE posture

xili5
Cisco Employee
Cisco Employee

‎05-01-2019 09:40 PM - edited ‎02-21-2020 09:05 AM

Hi team,

 

Where can I find ISE component compatibility with FTD which is not included in the below document.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html#ciscoremoteaccess

 

I can see DACL and COA are supported from FTD6.3. But I still not sure if ISE posture solution for FTD anyconnect VPN can work or partially work.

0 Helpful
3 Replies 3

ldanny
Cisco Employee
Cisco Employee

‎05-02-2019 12:48 AM

that is correct FTD does support CoA since 6.3 , which means you should be able to set this up just as you would on ASA.

 

See the following guide as example for FTD

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

 

This is an older version for Posture setup with ISE but can be used as a guide line for FTD

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

 

 

 

0 Helpful

xili5
Cisco Employee
Cisco Employee
In response to ldanny

‎05-02-2019 07:28 AM

Hi Danny,

 

The document is about ASA AnyConnect VPN with ISE posture and FTD AnyConnect VPN without ISE posture.

 

Do you have FTD AnyConnect VPN with ISE posture document? Does FTD support redirect URL to ensure client provisioning working? If so, how to define redirect ACL, which ACL action mean redirect, permit or deny?

 

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-04-2019 05:17 PM - edited ‎05-04-2019 05:21 PM

Moving this topic to FirePOWER.

This is actually among New Features in Firepower Device Manager/FTD Version 6.4.0

 

Support for RADIUS servers and Change of Authorization in remote access VPN. You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication when you use a Cisco ISE RADIUS server.
We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within an RA VPN connection profile.

ISE configurations are identical to that for ASA, as Danny pointed out.

As FTD 6.4 released after the most recent ISE releases, it's not yet vetted by ISE teams. Please ask FirePower team for this info.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card