Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
5
Helpful
4
Replies

vpn and active directory

Go to solution
suthomas1
Level 6
Level 6

‎09-03-2020 04:55 AM

Hello,

We are working towards a new remote vpn likely to be cisco ASA. The pull between different teams involved is if a radius(ISE) is needed or should the ASA be just integrated to talk directly with active directory servers and use groups within from there.

 

Please help with what are the possible downfalls for either of these and especially from a security perspective.

 

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-03-2020 05:20 AM

I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎09-03-2020 05:20 AM

I am no ASA VPN expert, but for a simple scenario where users are connecting with AnyConnect to the VPN service and supplying their AD credentials for authentication, you might as well point the ASA directly at the AD using LDAP. That's how I do it. Involving ISE might give you some visibility but ... sorry to say this ... it also incurs a small fee because it would consume an ISE Base License. Unless you have some crazy complex setup, I think you can just use the simple AD group concept directly.

0 Helpful

Go to solution
suthomas1
Level 6
Level 6

‎09-03-2020 05:31 AM

Thanks, but i have also been told security is a concern if the asa directly talks to directory hence the need for a radius in between apart from the usual funky stuff that may be done with radius?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to suthomas1

‎09-03-2020 06:13 AM

I don't buy that argument - it's like saying that ISE is more trustworthy to talk LDAP to your AD servers than ASA is in talking LDAP to AD. ASA is a hardened appliance and designed for security purposes. ISE is the same. But ISE is just a middle man in this case and adds no value ... only adds another point of failure and licensing cost. So that's my argument against using any RADIUS server in this scenario.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-03-2020 05:39 AM

You can directly integrate ASA with LDAP authentication - Until you have any reason to involve ISE here.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents