Remote Access VPN Authentication with Cisco ISE
In this article I will walk through the steps that are required to configure the ASA for external authentication using Cisco ISE for remote access VPN users. This demonstration will use the following devices: Cisco ISE 2.4 Cisco ASA 9.8 Cisco AnyConnect 4.6 Test Laptop Server 2012 R2 Overview Cisco ISE can be used to authenticate remote access users terminating on a Cisco ASA. Before users gain access to the network, they are required to authenticate using a set of credentials, often certificate-based or by using a username and password. Based on the user authentication, Cisco ISE can be used to determine which tunnel-group the user should be placed within. Change of Authorization (CoA) is supported from ASA version 9.2.1, this allows for ISE to perform things such as posturing. Although not the main focus of this article, Cisco ISE can also be used to apply things such as Dynamic Access Control Lists (dACL’s) based on matched authorization policies. Demonstration Topology In this demo