Thank you Greg and hslai (and sorry for my late response). Ok for ISE version 2.6. For second user authentication, I would like to try avoid the use of a proxy between ISE and external authentication source. Our cloud provider allows radius or https requests to get push mobile. Proxy radius is used to encapsulate radius request in https flow (more reliable than direct radius request on Internet). That's why I think to SAML. But according to your answers, I need a proxy. I am still not familiar with ISE authentications mechanisms.
... View more
Hello community, I plan to deploy an architecture as follow : Anyconnect client<====IPSEC tunnel====> firepower with ASDM<=> ISE + external authentication provider I am relatively new on ISE and I am trying to understand all interactions between components. The solution should handle theses multiple authentications : - machine certificate - user certificate or credential - external identity provider for second user authentication (ex: OTP) 1)My first (pre)question is about ISE version. Which is the recommended version to deploy for a fresh new install ? Version 2.7 has been released since Q4 2019. There are a lot of changes and specially MnT database optimizations. But this version is relatively new. 2) Regarding authentication, I understand that machine certificate is normally used for tunnel establishment. The Firepower then forwards user authentication to ISE. ISE can contact an AD or Radius for first user authentication. I look at the use case IPSEC with duo. A DUO (or another identity provider) authentication proxy seems mandatory to handle second authentication. Regarding ISE capabilities, I would like to not use an authentication proxy for second authentication. I have seen in ISE 2.6 admin guide that we can define an SAML IdP as external identity source. Does ISE can handle SAML requests for second authentication in a use case with anyconnect client IPSEC tunnel and firepower as IPSEC termination ? And if so, could you describe the authentications steps ? (user portal needed? which component asks external IdP? (firepower, ise,..?) K.
... View more