03-15-2018 11:03 AM
I am looking to understand what capabilities we have to integrate with F5 Remote Access with ISE providing Authentication and Authorisation services. Customer is using ISE in the wireless network but would like to extend this to their F5 RAS environment. Do we have any examples of this? I am looking to understand what, if anything is possible.
The requirement from the customer is as follows:-
Prior to our call here are some details on our F5 RAS solution, any ideas
around integrating the ISE NAC capabilities would be greatly appreciated.
Design details of the solution:
(Embedded image moved to file: pic48733.gif)
SecureID Authentication
The F5 system was added to customer’s RSA Authentication Manager system and a
RSA SecureID Authentication server called Customer_SecureID was defined on
the F5 system by importing the sdconf.rec file. All users are
initially authenticated by SecureID.
AD Authentication
After the SecureID check, users are next authenticated against the customer's
Active Directory domain. The F5 system binds to Active
Directory using a service account to check credentials. This is
necessary in order for the F5 system to allow users to change expired
passwords.
Client Type Check
The client type is determined by examining the user agent HTTP header
that is part of client requests. If the client is detected to be an
F5 standalone client then functionality branches to provide
network-level access. Anything else is assumed to be a web browser
requiring Citrix access.
Machine Certificate Check
Users with F5 clients must pass an additional check to ensure that they
have an customer machine certificate installed. The machine certificate
checker is a client-side component that is downloaded to end users.
The computer certificate store is searched for entries issued by the
customer’s certificate authority . Any matching certificates are sent to
the F5 system and from there checked using OSCP. Users without a
valid certificate are presented with a warning message and disconnected.
Network Client Access
Client-based users with valid machine certificates are granted network
access. A virtual adapter on their PC is configured with an address
from a pool maintained on the F5 system.
Citrix Access
Users with any client other than a standalone client are directed to the
Citrix system. The F5 APM connects to the Citrix XML service and,
using the credentials stored when the user logged on, authenticates and
reads their list of applications.
The F5 APM system replaces the Citrix Storefront/Web Interface modules,
providing users with a menu of applications through its own user
interface.
When the user clicks on an item on the applications menu, an ICA session
is launched that is proxied through the F5 virtual server.
Solved! Go to Solution.
03-16-2018 02:47 AM
First let me call out that this is a public forum. Please do not post any information that is deemed customer sensitive or confidential. You have cited a specific organization and security policy so I have edited the names used. We have a separate partner forum used for questions that may require the inclusion of customer-sensitive data, but this question could be asked without divulging customer.
Not sure of Posture is a requirement here, but the current solution is tightly coupled to F5 client usage. It may be better to understand challenges with current setup as I often follow the concept of "if it is not broken, don't fix it". ISE can certainly provide integration with RSA, AD, and machine authentication via certs.
Since mentioned RAS (and assume not mixing with RSA use), is this a remote access VPN setup with access to Firepass and then to APM over VPN, or LAN connection direct to APM? I ask since the VPN termination and auth will happen separately from the APM validation. For example, we have ASA to terminate VPN via certificate, RSA/OTP, and AD prior to getting network access. Authorization can be assigned via ISE.
Assuming this is a LAN connection, ISE could perform some of the initial network authentication through 802.1X using certs, OTP, or AD machine/user auth. It could also integrate via a RADIUS interface to APM (where ISE is RADIUS server) as shown here. Citrix can also be integrated into TS-Agent to our firewalls.
Finally, there were discussions at one time regarding potential for F5 to integrate APM with pxGrid to use ISE session data (proof of authentication and role assignment) to more seamlessly provide secure application access, but not sure F5 has moved on that option.
Need to return to the "what is the problem to be solved" and that will help guide whether it makes sense to offload some of the AAA functions to ISE.
Craig
03-15-2018 11:32 AM
Might work with new anyconnect agent that doesn’t require redirect ise 2.2 and higher
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html
Best to test it out and share your findings as I don’t think anyone has done that
03-16-2018 02:47 AM
First let me call out that this is a public forum. Please do not post any information that is deemed customer sensitive or confidential. You have cited a specific organization and security policy so I have edited the names used. We have a separate partner forum used for questions that may require the inclusion of customer-sensitive data, but this question could be asked without divulging customer.
Not sure of Posture is a requirement here, but the current solution is tightly coupled to F5 client usage. It may be better to understand challenges with current setup as I often follow the concept of "if it is not broken, don't fix it". ISE can certainly provide integration with RSA, AD, and machine authentication via certs.
Since mentioned RAS (and assume not mixing with RSA use), is this a remote access VPN setup with access to Firepass and then to APM over VPN, or LAN connection direct to APM? I ask since the VPN termination and auth will happen separately from the APM validation. For example, we have ASA to terminate VPN via certificate, RSA/OTP, and AD prior to getting network access. Authorization can be assigned via ISE.
Assuming this is a LAN connection, ISE could perform some of the initial network authentication through 802.1X using certs, OTP, or AD machine/user auth. It could also integrate via a RADIUS interface to APM (where ISE is RADIUS server) as shown here. Citrix can also be integrated into TS-Agent to our firewalls.
Finally, there were discussions at one time regarding potential for F5 to integrate APM with pxGrid to use ISE session data (proof of authentication and role assignment) to more seamlessly provide secure application access, but not sure F5 has moved on that option.
Need to return to the "what is the problem to be solved" and that will help guide whether it makes sense to offload some of the AAA functions to ISE.
Craig
03-16-2018 10:46 AM
Craig,
Apologies, I posted in the wrong forum as a result of trying to do this quickly. Thanks for the answer. In response to your question, this is F5 Remote Access so yes, VPN connectivity as opposed to LAN.
There isn't a problem as such, the customer is however looking to leverage ISE to the maximum extent possible and would like to perform some NAC actions (not defined in detail yet) if possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide