Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3989
Views
6
Helpful
4
Replies

Cisco ISE guests and Ironport

sanjinturic
Level 1
Level 1

‎08-15-2013 03:51 PM - edited ‎03-10-2019 08:46 PM

Hi All,

I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:

I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?

Any constructive input appreciated!

Thanks!

Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎08-15-2013 04:39 PM

If your only reason for putting them through ironport is to get some sort of accounting on guest activity, i would recommend using an ASA firewall, and then send the syslog to ISE from it, ISE will then correlate the url usage and bandwidth usage with the guest username and details automatically, and you can track it with the reporting features in ISE.

Tarik Admani
VIP Alumni
VIP Alumni
In response to jan.nielsen

‎08-15-2013 09:01 PM

There is no direct integration between ISE and ironport for SSO, however Jan is dead on as far as guest activity tracking. Here is a guide from the nac guest server that shows how to make this work. What version of ISE are you using?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac

Thanks,

Tarik Admani
*Please rate helpful posts*

sanjinturic
Level 1
Level 1

‎08-16-2013 05:35 AM

Thanks for the swift responses and suggestions!

I'll most certainly have a look at the proposals...

However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...

BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to sanjinturic

‎08-17-2013 07:43 PM

Sanjin,

If you can stop the order for the 3395 that would be great, the new 3495s are available and run on UCS so you can more remote management functions through the CIMC.

Here is another questions asked previously where SSO with ironport isnt supported.

https://supportforums.cisco.com/thread/2149968

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents