topic Implement Identity Policy for Anyconnect users in Network Security

Implement Identity Policy for Anyconnect users

pankajkumar2 — Fri, 21 Feb 2020 14:58:54 GMT

Hello Friends,

I'm stuck in a problem where need your suggestion.

I have ASA 5555X (9.6.(3)8) with Sourcefire services (6.2.2) running in HA. I have implemented Passive authentication and Active authentication as a fallback of Passive for all my internal users and its working seamless.

The same thing I want to implement for Anyconnect users but unable to determine the best approach.

If I enable Passive authentication for Anyconnect user then there would be a mismatch of user & IP as VPN users are mean to get frequently connected and disconnected and ASA will provide different IPs (depends on ASA available IP) and I don't want my user to put credential again on the captive portal every time. SSO should be there.

Thanks in advance

Re: Implement Identity Policy for Anyconnect users

Marvin Rhoads — Tue, 19 Dec 2017 15:45:12 GMT

What's the authentication server for your VPN users?

If it were ISE, you should be able to use that as an identity source in FMC.

Re: Implement Identity Policy for Anyconnect users

pankajkumar2 — Wed, 20 Dec 2017 04:39:15 GMT

Thanks Marvin for your response.

We are using Microsoft AD as an authentication source for VPN user and not using ISE as of now.

Re: Implement Identity Policy for Anyconnect users

Marvin Rhoads — Wed, 20 Dec 2017 12:35:27 GMT

OK, unfortunately with AD directly as the AAA server, you won't get the mapping of user-IP address even if you use the Firepower User Agent.

I just confirmed in my lab that User Agent does not map those authentications as they are not logins in the AD sense of a user logging into a workstation. Rather they are a basic LDAP authentication of a username against the AD database. As such, the User Agent doesn't capture the WMI logon event that uses.

Re: Implement Identity Policy for Anyconnect users

pankajkumar2 — Fri, 29 Dec 2017 07:27:41 GMT

Thanks Marvin for your support.
But in that case, what is the best possible solution for us?
As I understood, Passive authentication will not work here & if I decide to use Active authentication, I think that will also not work properly.
Let me explain, let's take an example:-
User1 has connected over VPN and got IP1 --> He accessed Internet post successful authentication on Captive portal
Now User1 has disconnected from VPN after some time but his Internet session still remains active on FMC & SFR
Now, User2 has tried connecting VPN and got the same IP from ASA --> As FMC/SFR is already having a session associated with that IP, it will simply allow the internet connection without asking any authentication which is a kind of identity breach, user will be able to access that type of Internet content for which that user is not allowed.

Please help with practical solution.

Re: Implement Identity Policy for Anyconnect users

Marvin Rhoads — Fri, 29 Dec 2017 12:50:20 GMT

Adding ISE to the mix would establish an authoritative source of identity to IP mapping.

Short of that I don’t think you can do it with the ASA, Firepower and AD.