topic Re: Specific Multi-Match RADIUS/LDAP Questions in Network Access Control

Specific Multi-Match RADIUS/LDAP Questions

bilclay — Wed, 02 Mar 2016 01:57:52 GMT

ISE Gurus,

I have a customer/partner that is interested in deploying a remote access VPN solution using ASA, ISE and Anyconnect. Customer wonders how the solution can support user permissions when the user is part of multiple AD group within the memberOf attribute. Ideal flow would be that the permissions of each group would be appended/cumulative so that the permissions of all groups they are a member of are enabled simultaneously. They have 40-50 groups with unique ACL/permissions on each group.

I now realize that we can use the Multi-Match AuthZ policy to append ACE entries based on membership to multiple groups however the Cisco Partner I'm working with has additional questions listed below.

____________________________________________________________________

Is there any size limitation of cisco av-pair ip:inacl?

How many ACEs could be fit into one radius packet since single Radius attribute can be up to 255 bytes long as explained in CSCum57190?

Could this av-pair be sent using as many RADIUS packets as required to transport the full ACL from ISE to ASA?

What is the merging algorithm where there is overlapping ACEs from different groups?

Will this cisco av-pair work with COA of ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco?

Is it possible to use ISE and ASA to have flexibility like DAP for accumulating Network Type ACL, Web Type ACL, Port-forwarding List, and URL lists for different LDAP group?

ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco

This is for a timely deal, thanks for the help!!!

Re: Specific Multi-Match RADIUS/LDAP Questions

Jason Kunst — Wed, 02 Mar 2016 13:16:35 GMT

IT looks like someone from the team or customer/partner has already posted the question, can you please verify so we are not duplicating effort? Also please encourage partners and customers to post here

here is the thread that was updated shortly before your post

Re: Can ISE/ASA/Anyconnect support multiple AD group membership?

Re: Specific Multi-Match RADIUS/LDAP Questions

bilclay — Wed, 02 Mar 2016 13:26:19 GMT

The main question was posed an answered however additional follow questions were asked therefore I created a new thread and included assumed answers from old thread. Would really appreciate answers to the additional questions here.

Re: Specific Multi-Match RADIUS/LDAP Questions

sding2006 — Wed, 02 Mar 2016 18:46:21 GMT

Thanks for the attention!

Granted, it might have been totally fine to use ISE/ASA with ISE posture assessment if we have luxury to design VPN and AD authorization related schema from scratch utilizing some of the following:

ASA authorization options:

IETF Class attribute

Map to group policy where filter(ACL), VLAN restriction etc. defined

IETF Filter-ID

Map to ACL pre-defined on ASA

dACL

ACL defined on ISE and downloaded with radius to ASA

DAP

Specifying ACL

Secure Group Tag (SGT)

Cisco AV pair ACL

Higher priority than dACL by default, could be merged with merge-dacl {before-avpair | after-avpair} on radius server definition

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/aaa-radius.html

But when accumulating different kind of [network|web|port-forwarding|URL] access policies from different group is desired for RA VPN solution, IMHO, there are not many choices at this moment besides:

1) Tie ISE with ASA VPN deployment utilizing ISE posture module, CSCum57190 will probably have to be addressed given that ISE cannot send radius messages > 4k

https://tools.cisco.com/bugsearch/bug/CSCuf90492/?referring_site=bugquickviewredir

2) Decouple ISE from ASA VPN deployment, use DAP/LDAP on ASA talking LDAP directly with identity store, and ASA posture module. Will ASA posture module/hostscan to be supported in long term?

I am open and eager to learn any new features or old tricks.