06-07-2021 06:40 AM
I'm setting up RA VPN using AnyConnect + ASA and authentication is performed on ISE.
Everything works fine and I'm able to assign Group Policies and DACLs using RADIUS.
Now I need to assign Group Policy based on ISE Posture result but ASA is ignoring Group Policy and Re-authentication Time attributes passed on RADIUS CoA. DACL value is processed without any problem!
My goal is to assign AnyConnect client profiles (AC Management VPN Profile) and reauthentication timer based on posture result (validates on registry that user logged in using domain machine).
06-07-2021 08:08 AM
Does the ASA receive these RADIUS attributes? turn on ASA debugs to confirm, provide the output for review.
Are you using "Advanced Attribute Settings" -> Class = ou=<GROUP-POLICY-NAME> in the ISE AuthZ profile?
What version of ASA are you using?
06-07-2021 08:18 AM
Yes, I can see the attributes being returned running debugs on ASA. It seems they worked fine for RADIUS but not for RADIUS CoA.
We're testing on ASA 9.13(1).
Thanks
AM
06-08-2021 07:13 AM
This is expected. ASA policy updates via CoA are limited to ACLs/DACLs, and SGT updates.
06-08-2021 05:05 PM
I was not aware of that limitation.... it would be nice if we could also have group policy update.
11-03-2021 02:20 AM
Hi hslai, I want to double-check your comment that ASA policy updates via CoA are limited to ACLs/DACLs and SGT updates.
I have a user that I need to assign a static IP address retrieved from their Dial-In settings in Active Directory. I have exlcuded this IP address from ASA VPN Pool so it cannot be assigned to another user. I actually followed the procedure found at the link below. https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/
I can see ISE sending the framed IP address attribute in the Authorization however ASA never applies this to the client. So based on your comments, is this a limitation?
11-03-2021 02:28 AM
Just resolved this by enabling Use Authentication Server in my ASA and now I am getting static IP. Thanks.
06-10-2021 02:09 PM
I can hardly interpret switching the Group-policy. You can switch to another SGT or DACL but a client profile is not something you switch. The XML profile has already downloaded then a CoA is supposed to change it? The XML will not be deleted if has already been downloaded.
06-10-2021 03:09 PM
Hi Peter,
In this situation I need to disconnect computers that are not posture compliant and assign AnyConnect Management Tunnel profile to compliant computers. How else can I do this?
Regards
Antonio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: