Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ISE guests and Ironport

Hi All,

I'm currently writing a HLD for a Cisco ISE rollout in my organization, and I've come across sort-of-an-issue:

I'm planning on getting the guests in through the ISE Guest portal, but I also want to push them through an authenticated proxy(for accounting purposes) instead of a transparent one... however, I can't seem to find a way to somehow integrate Ironport and ISE in order to achieve some sort of an SSO, to avoid users having to enter their credentials twice(guest portal and ironport)- has anyone got a working solution for this?

Any constructive input appreciated!

Thanks!

Everyone's tags (3)
4 REPLIES

Cisco ISE guests and Ironport

If your only reason for putting them through ironport is to get some sort of accounting on guest activity, i would recommend using an ASA firewall, and then send the syslog to ISE from it, ISE will then correlate the url usage and bandwidth usage with the guest username and details automatically, and you can track it with the reporting features in ISE.

Cisco ISE guests and Ironport

There is no direct integration between ISE and ironport for SSO, however Jan is dead on as far as guest activity tracking. Here is a guide from the nac guest server that shows how to make this work. What version of ISE are you using?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Cisco ISE guests and Ironport

Thanks for the swift responses and suggestions!

I'll most certainly have a look at the proposals...

However,  I still want the guest users to go through the S370, as it's not only  for accounting purposes, but I want them to authenticate, since it would  make tracing and pinning events to a person way easier - that's the  main reason why I'm trying to find a solution that might act like an  SSO. The business side stated that signing in twice(ISE guest portal, then proxy) is unacceptable. I know that there's no direct integration between ISE and Ironport at the moment, and I am going to put in a feature request for that, but for the time being, I am really keen on getting this to work somehow...

BTW - I'm currently using a virtualised ISE, release 1.1.4., And I've got the 3395's on order...

Cisco ISE guests and Ironport

Sanjin,

If you can stop the order for the 3395 that would be great, the new 3495s are available and run on UCS so you can more remote management functions through the CIMC.

Here is another questions asked previously where SSO with ironport isnt supported.

https://supportforums.cisco.com/thread/2149968

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
3664
Views
6
Helpful
4
Replies
CreatePlease to create content