ASA-IPN-ISE convert to ASA-ISE Step by step?

dirkmelvin · ‎02-04-2016

I haven't found such a document/blog for doing this, but I am looking to convert our current ASA-IPN-ISE config to ASA-ISE (eliminating the IPN from our current config).

We have been running ISE for a few years since ISE 1.1, with our ASA on v9. We now have ISE v1.4 and the ASA is on v9.5(2). So with the ISE hardware (3315) for the IPN being discontinued we want to just take it out of the mix, we might move to the newer hardware later this year, but that will involve purchases and licensing maneuvering.

To get our setup working we had to create subinterfaces on our ASA splitting our 'inside' physical port into 'ISE' and 'INSIDE' subinterfaces. And created rules so that all VPN traffic used the 'ISE' subinterface to talk direct to the IPN, while allowing all but VPN traffic to use the 'INSIDE' subinterface. So this might be a little more complicated than most setups.

We are ONLY using ISE for the VPN users, we have not hooked it to WiFi or LAN devices yet.

So does anyone have a document on how to do this? I am assuming it must be easy, but I don't have a 'test' environment to figure it out, so when we do this it will be a one shot deal on a maintenance weekend, that I would prefer to have a guide, rather than having to spend an entire Saturday with trail and error on my own.

dirkmelvin · ‎03-09-2016

Wow, an entire month and nothing?

Well I am here to tell everyone, do not tread into this transition lightly.

I have worked with TAC slowly over the last couple of months to make sure this was a straight forward and easy transitions, but I am disappointed to say, I have been bitten by the complexity that this change makes to our configuration.

First of all, if you are using Split-tunnel on your RA-VPN, DO NOT go by the instructions in TAC Doc#117693: ASA VERSION 9.2.1 VPN Posture with ISE Configuration Example. (First order of business that I take issue with is, the entire document mentions nothing about a VPN ACL (split tunnel or otherwise) and does nothing to describe how such an ACL would be overridden by ISE. It just has you create an ACL ('Redirect') on the ASA that is not assigned to anything, then in the ISE configs tells you to tell ISE to call on that ACL at some point.

It took me hours of working with TAC to get my split-tunnel config working correctly before we even started reworking the ISE side of the config. And now we are sort of in limbo with our VPN users because at this time anyone that connects to the VPN has full internal network access even before the NAC agent pops up to start the posture process and it stays that way, pass or fail.

We currently have Cisco jumping through hoops to get this config solved.

In general I think that if we didn't use split-tunnel things would be much smoother on this, but things as they are, we are unable to change that.

Working with TAC we can clearly see on the ASA that the dACL is being pushed to the VPN users, but it seems the split-tunnel ACL from the original VPN connection is forcing precedence over any ACL pushed down from ISE.