09-03-2020 04:55 AM
Hello,
We are working towards a new remote vpn likely to be cisco ASA. The pull between different teams involved is if a radius(ISE) is needed or should the ASA be just integrated to talk directly with active directory servers and use groups within from there.
Please help with what are the possible downfalls for either of these and especially from a security perspective.
Thanks in advance.
Solved! Go to Solution.
09-03-2020 05:20 AM
I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.
09-03-2020 05:20 AM
I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.
09-03-2020 05:31 AM
Thanks, but i have also been told security is a concern if the asa directly talks to directory hence the need for a radius in between apart from the usual funky stuff that may be done with radius?
09-03-2020 06:13 AM
I don't buy that argument - it's like saying that ISE is more trustworthy to talk LDAP to your AD servers than ASA is in talking LDAP to AD. ASA is a hardened appliance and designed for security purposes. ISE is the same. But ISE is just a middle man in this case and adds no value ... only adds another point of failure and licensing cost. So that's my argument against using any RADIUS server in this scenario.
09-03-2020 05:39 AM
You can directly integrate ASA with LDAP authentication - Until you have any reason to involve ISE here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide