Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2707
Views
0
Helpful
4
Replies

ISE 2.1 Using CVPN3000/ASA/PIX7x-Tunnel-Group-Name Atrribute Not Working

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎09-06-2016 08:28 AM

ISE 2.1 setup with ASA VPN user.  Two tunnel groups defined on ASA. Use has the ability to select Tunnel-Group when connecting.  I would like ISE to look at that choice and deliver appropriate policy based on user selection.  I can see the correct Tunnel Group name in the ISE Auth record but appears to be ignoring it in policy selection.

ISE policy:

Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name MATCHES CertificateAuthPublic

ASA Tunnel Group is name CertificateAuthPublic

It is not matching.  I've tried Contains as well.  I saw there were some issues in with this in 1.x version of ISE.  Should this work in version 2.1?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to scamarda

‎09-08-2016 05:05 PM

Problem due to incorrect attributes in AuthZ policy.  Thanks Hslai.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-07-2016 09:39 AM

I would suggest to DEBUG authentication on runtime-AAA to ensure RADIUS auth requests are sending the attribute.

Furthermore, on epm-pdp, epm-pip, and nsf-session to check session attributes available for authorization.

If you need further help on it, perhaps we may have a WebEx.

0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to hslai

‎09-07-2016 11:41 AM

I can see the attribute being sent from the ASA to ISE.  It shows up at Other attributes in the Auth detail record:

Other Attributes

ConfigVersionId     113

Device Port     16391

DestinationPort     1645

RadiusPacketType     AccessRequest

Protocol     Radius

NAS-Port     311296

CVPN3000/ASA/PIX7x-Tunnel-Group-Name     CertificateAuthPublic

Nothing showed up in the ise-psc.log with the debugs turned on.

Can we do a webex real quick to see what I am doing wrong?



0 Helpful

Go to solution
scamarda
Cisco Employee
Cisco Employee
In response to scamarda

‎09-08-2016 05:05 PM

Problem due to incorrect attributes in AuthZ policy.  Thanks Hslai.

0 Helpful

Go to solution
misinsuan2229
Level 1
Level 1
In response to scamarda

‎09-11-2019 05:32 PM

Hi Scamarda.

 

What do you mean by incorrect attributes in AuthZ policy? We are also having this issue, in our case we are using the tunne-group-name condition to have separate ISE-Posture policies to two different vpn-group in ASA. But this looks to be the same, can you let me know what is the resolution here?

0 Helpful
Customers Also Viewed These Support Documents