cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

137
Views
0
Helpful
1
Replies
Beginner

ASA RA User Authorization via ISE AuthZ Policy with IN-ACL

Hello Community Experts,

 

We are seeing a strange problem in our environment where we authenticate Remote Access VPN users on our ASA via Cisco ISE. The Cisco ISE authorization policies have a group of IN-ACL authorization profiles. When the number of combined ACL entries that are returned to the ASA by ISE goes beyond 66, the user gets a Login Failed error on AnyConnect VPN. Reducing the number back to 66 solves the problem.

 

### ASA Details ###

Cisco Adaptive Security Appliance Software Version 9.10(1)27

Firepower Extensible Operating System Version 2.4(1.248)

Device Manager Version 7.10(1)

System image file is "disk0:/asa9-10-1-27-smp-k8.bin"

 

Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)

            ASA: 8560 MB RAM, 1 CPU (2 cores)

Internal ATA Compact Flash, 8192MB

 

### ISE Details ###

Version - 2.6.0.156
Installed Patches - 3
Product Identifier (PID) - ISE-VM-K9
Version Identifier (VID) - V01
ADE-OS Version - 3.0.5.144

 

### ISE Authorization Policy ###

Screenshot 2020-03-26 at 12.46.39 PM.png

 

### ISE Authorization Profile with IN-ACL Entries ###

Screenshot 2020-03-26 at 12.47.56 PM.png

 

I appreciate all the help. Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: ASA RA User Authorization via ISE AuthZ Policy with IN-ACL

First thing right away is you can adjust your ACL to consolidate some of those lines as follows:

permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0

That would save you 32 lines.  There is probably a limit on the number of entries for your hardware/software.  You can verify with TAC.  But when a device is unable to apply a particular security policy like dACL, it should deny the connection.  That is why you are seeing failures and disconnects when using more than 66 entries. 

View solution in original post

1 REPLY 1
Highlighted
Rising star

Re: ASA RA User Authorization via ISE AuthZ Policy with IN-ACL

First thing right away is you can adjust your ACL to consolidate some of those lines as follows:

permit ip any 10.1.32.0 255.255.224.0 - will cover 10.1.32.0 thru 10.1.63.0

That would save you 32 lines.  There is probably a limit on the number of entries for your hardware/software.  You can verify with TAC.  But when a device is unable to apply a particular security policy like dACL, it should deny the connection.  That is why you are seeing failures and disconnects when using more than 66 entries. 

View solution in original post