Help needed for Palo Alto & Cisco ISE Integration

mdsarzulislam · ‎11-10-2024

Hello Experts,
I am in a situation of integration of Cisco ISE with Palo Alto Global Protect VPN.
My goal is to configure Cisco ISE as a RADIUS server for Global Protect VPN users. While any user enters a username and password in the Global Protect portal, it will forward the user credentials to ISE for validation, and ISE will validate the user against AD.

I tried to find much documentation but was not able get any clear steps.

Please, if anyone could help with the steps that I could use as guidelines to fill the above purpose.

Thank you in advance!

Karsten Iwen · ‎11-10-2024

This is for the ASA and the ISE is an older version. But it outlines what has to be done on the ISE:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215432-configure-ssl-anyconnect-with-ise-authen.html

And if you are not used to the ISE, consider attending a training. The ISE is powerful but also complex: https://www.cisco.com/c/en/us/training-events/training-certifications/training/training-services/courses/implementing-and-configuring-cisco-identity-services-engine-sise.html

ahollifield · ‎11-12-2024

Why use ISE at all? What is the MFA strategy? Why not SAML to whatever IdP is being used?

Aref Alsouqi · ‎11-12-2024

Take a look at these videos, they should have the answer for you:

Palo Alto Firewall GlobalProtect VPN integration with Cisco ISE for SGT Propagation/Enforcement

Configure Cisco ISE With RADIUS For Palo Alto Networks - YouTube