cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
789
Views
0
Helpful
1
Replies

How to use ISE for VPN auth

endpoint
Level 1
Level 1

Hello

looking for documenation how to setup ISE to authenticate VPN users. Right now we are usign ACS 4.2 to provide dACL and authetnication but would like to migrate this feature to ISE. Wea re using microsoft AD.

Any good docs, white papers, field notes, how-to that can address this issue will be appreciated.

Thanks

1 Reply 1

Mathieu Sturm
Level 1
Level 1

We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization  tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can  for example insert admin.

So if you have an admin user that wants to login:

authentication: user found in ldap (or ad)

authorization:

-user is coming from asa ip address

-user attribute is admin

= user is authorized for the admin class on your asa vpn device.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: