Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1700
Views
0
Helpful
3
Replies

ISE and F5 RAS Integration

Go to solution
mgarvie
Cisco Employee
Cisco Employee

‎03-15-2018 11:03 AM

I am looking to understand what capabilities we have to integrate with F5 Remote Access with ISE providing Authentication and Authorisation services.  Customer is using ISE in the wireless network but would like to extend this to their F5 RAS environment.  Do we have any examples of this?  I am looking to understand what, if anything is possible.

The requirement from the customer is as follows:-

Prior to our call here are some details on our F5 RAS solution, any ideas

around integrating the ISE NAC capabilities would be greatly appreciated.

Design details of the solution:

(Embedded image moved to file: pic48733.gif)

   SecureID Authentication

   The F5 system was added to customer’s RSA Authentication Manager system and a

   RSA SecureID Authentication server called Customer_SecureID was defined on

   the F5 system by importing the sdconf.rec file.    All users are

   initially authenticated by SecureID.

   AD Authentication

   After the SecureID check, users are next authenticated against the customer's

   Active Directory domain.   The F5 system binds to Active

   Directory using a service account to check credentials.    This is

   necessary in order for the F5 system to allow users to change expired

   passwords.

   Client Type Check

   The client type is determined by examining the user agent HTTP header

   that is part of client requests.    If the client is detected to be an

   F5 standalone client then functionality branches to provide

   network-level access.    Anything else is assumed to be a web browser

   requiring Citrix access.

   Machine Certificate Check

   Users with F5 clients must pass an additional check to ensure that they

   have an customer machine certificate installed.    The machine certificate

   checker is a client-side component that is downloaded to end users.

   The computer certificate store is searched for entries issued by the

   customer’s certificate authority .    Any matching certificates are sent to

   the F5 system and from there checked using OSCP.    Users without a

   valid certificate are presented with a warning message and disconnected.

   Network Client Access

   Client-based users with valid machine certificates are granted network

   access.   A virtual adapter on their PC is configured with an address

   from a pool maintained on the F5 system.

   Citrix Access

   Users with any client other than a standalone client are directed to the

   Citrix system.    The F5 APM connects to the Citrix XML service and,

   using the credentials stored when the user logged on, authenticates and

   reads their list of applications.

   The F5 APM system replaces the Citrix Storefront/Web Interface modules,

   providing users with a menu of applications through its own user

   interface.

   When the user clicks on an item on the applications menu, an ICA session

   is launched that is proxied through the F5 virtual server.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎03-16-2018 02:47 AM

First let me call out that this is a public forum. Please do not post any information that is deemed customer sensitive or confidential.  You have cited a specific organization and security policy so I have edited the names used.  We have a separate partner forum used for questions that may require the inclusion of customer-sensitive data, but this question could be asked without divulging customer.

Not sure of Posture is a requirement here, but the current solution is tightly coupled to F5 client usage.  It may be better to understand challenges with current setup as I often follow the concept of "if it is not broken, don't fix it".  ISE can certainly provide integration with RSA, AD, and machine authentication via certs. 

Since mentioned RAS (and assume not mixing with RSA use), is this a remote access VPN setup with access to Firepass and then to APM over VPN, or LAN connection direct to APM?   I ask since the VPN termination and auth will happen separately from the APM validation.  For example, we have ASA to terminate VPN via certificate, RSA/OTP, and AD prior to getting network access.  Authorization can be assigned via ISE.

Assuming this is a LAN connection, ISE could perform some of the initial network authentication through 802.1X using certs, OTP, or AD machine/user auth.  It could also integrate via a RADIUS interface to APM (where ISE is RADIUS server) as shown here.  Citrix can also be integrated into TS-Agent to our firewalls.

Finally, there were discussions at one time regarding potential for F5 to integrate APM with pxGrid to use ISE session data (proof of authentication and role assignment) to more seamlessly provide secure application access, but not sure F5 has moved on that option.

Need to return to the "what is the problem to be solved" and that will help guide whether it makes sense to offload some of the AAA functions to ISE.

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-15-2018 11:32 AM

Might work with new anyconnect agent that doesn’t require redirect ise 2.2 and higher

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Best to test it out and share your findings as I don’t think anyone has done that

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Jason Kunst

‎03-16-2018 02:47 AM

First let me call out that this is a public forum. Please do not post any information that is deemed customer sensitive or confidential.  You have cited a specific organization and security policy so I have edited the names used.  We have a separate partner forum used for questions that may require the inclusion of customer-sensitive data, but this question could be asked without divulging customer.

Not sure of Posture is a requirement here, but the current solution is tightly coupled to F5 client usage.  It may be better to understand challenges with current setup as I often follow the concept of "if it is not broken, don't fix it".  ISE can certainly provide integration with RSA, AD, and machine authentication via certs. 

Since mentioned RAS (and assume not mixing with RSA use), is this a remote access VPN setup with access to Firepass and then to APM over VPN, or LAN connection direct to APM?   I ask since the VPN termination and auth will happen separately from the APM validation.  For example, we have ASA to terminate VPN via certificate, RSA/OTP, and AD prior to getting network access.  Authorization can be assigned via ISE.

Assuming this is a LAN connection, ISE could perform some of the initial network authentication through 802.1X using certs, OTP, or AD machine/user auth.  It could also integrate via a RADIUS interface to APM (where ISE is RADIUS server) as shown here.  Citrix can also be integrated into TS-Agent to our firewalls.

Finally, there were discussions at one time regarding potential for F5 to integrate APM with pxGrid to use ISE session data (proof of authentication and role assignment) to more seamlessly provide secure application access, but not sure F5 has moved on that option.

Need to return to the "what is the problem to be solved" and that will help guide whether it makes sense to offload some of the AAA functions to ISE.

Craig

0 Helpful

Go to solution
mgarvie
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎03-16-2018 10:46 AM

Craig,

Apologies, I posted in the wrong forum as a result of trying to do this quickly.  Thanks for the answer.  In response to your question, this is F5 Remote Access so yes, VPN connectivity as opposed to LAN.

There isn't a problem as such, the customer is however looking to leverage ISE to the maximum extent possible and would like to perform some NAC actions (not defined in detail yet) if possible.

0 Helpful
Customers Also Viewed These Support Documents