Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
0
Replies

CSCuu86793 - Enhancement ISE pushing dACL for Split Tunnel VPN

Peter Batchelour
Level 1
Level 1

‎01-26-2019 07:28 AM

Hi, We have ISE 2.4 patch 3 and would like to able to push a split tunnel DACL to a user connecting via the AnyConnect VPN client (4.7) to a ASA. The ASA configuration is under strict change control so we would like to be able to push the split tunnel DACL from ISE as we have more open change controls on ISE.

 

The ASA is running v9.8.3 and is configured for ssl-client access only. It has one tunnel group configured and we currently authenticate these VPN users against ISE, where once authenticated and authorized they receive a DACL applied to their VPN session. This works fine but is full tunnel only meaning they have to connect and disconnect a lot if they need to browse to use other systems outside of the VPN.

 

We can't provide Internet access through the VPN as its not allowed by our security policy. We have new requirements for the VPN users frequently so using DACLs pushed from ISE are an easy way to control and enable new functionality quickly.

 

We would like to avoid creating the Split Tunnel ACLs on the ASA and using ISE to reference them once authenticating a user for the strict change control reasons applied to the ASA platform.

 

Is it possible to push split tunnel DACLs from ISE or could this be a future enhancement?

 

Many thanks in advance

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents