Cisco Cisco Identity Services Engine 1.2 Manual Técnico
The basic concept is that all user traffic will go through the iPEP, with the node also acting as a Radius Proxy.
Basic Flow
VPN User logs in.
1.
ASA sends the request to the iPEP node (ISE).
2.
The iPEP rewrites the request (by adding Cisco AV−PAIR attributes to indicate this is an iPEP
authentication) and sends the request to the ISE Policy Node (PDP).
authentication) and sends the request to the ISE Policy Node (PDP).
3.
The PDP replies back to the iPEP which will forward to the NAD.
4.
If the user is authenticated, the NAD MUST send an accounting−start request (see CSCtz84826 ).
This will trigger the session initiation on the iPEP. At this stage, the user is redirected for posture.
Additionally, you need to enable interim−accounting−update for tunnel established from the
WEBVPN Portal, as the ISE expects to have the attribute framed−ip−address in the radius accounting.
However, when connecting to the portal, the VPN IP Address of the client is not yet known because
the tunnel is not established. This will ensure that the ASA will send interim updates, such as when
the tunnel will be established.
This will trigger the session initiation on the iPEP. At this stage, the user is redirected for posture.
Additionally, you need to enable interim−accounting−update for tunnel established from the
WEBVPN Portal, as the ISE expects to have the attribute framed−ip−address in the radius accounting.
However, when connecting to the portal, the VPN IP Address of the client is not yet known because
the tunnel is not established. This will ensure that the ASA will send interim updates, such as when
the tunnel will be established.
5.
The user goes through the posture assessment, and based on the results the PDP will update the
session using CoA on the iPEP.
session using CoA on the iPEP.
6.
This screenshot illustrates this process:
Example Topology