FTD Anyconnect AAA

on

Scenario:

Use ISE as Radius server 


1. No Authorization is configured when Authentication is configured with AAA.

No need to configure Authorization server, the Radius Request sent to ISE will go through both ISE AuthC and AuteZ policy, configure Authorization server will cause the 2nd Radius Request is sent to ISE, this may causes issue depends on how Radius server is configured on FMC






When Authorization server is not configured in Connection Profile, enabled or disable "Enable authorize only" doesn't make different, seems this option only has impact when Authorization server is configured.                                                    




































2.  Authorization is also configured when Authentication is configured with AAA.

As mentioned above, this is no required, but if configured, must make sure "Enable authorize only" is checked. 
 When Authorization is configured, it caused the 2nd Radius Request is sent to ISE with user-password filed is filled with username, this will cause authentication to external identity store fails, and depends on ISE authentication policy Options, by default it will return Access-Reject to the user.





































3. Only configure Authorization when Authentication is not AAA
Make sure "Enable authorize only" is checked. 




Comments

Post a Comment