Currently i am deploying anyconnect VPN Solution for my customer on ASA 9.2(3). We are using ISE 1.3 for authenticating the remote users.
In Policy sets conditions i set the condition as below.
Policy Name : Anyconnect
Condition : DEVICE:Device Type EQUALS Device Type#All Device Types#Dial-in Access AND Radius:NAS-Port-Type EQUALS Virtual
I am authentication the users against the AD.
I am also restricting users based on group membership in authorization policies using OU attributes.
This works as expected for remote users.
We are also using ISE for authenticating the administrators to login to firewall. Now what happening is, Cisco ASA is validating administrators also against Anyconnect policy name and failing them.
Now the question is , how to configure different policy condition for network admin access and VPN users from the same firewall.
Any suggestion on this would be a great help.
Go to Solution.
You can get some ideas from this article of mine:
View solution in original post
If it is set to First Matched Rules Apply, then the evaluation is sequential (top-down). It's up to you to organize the rules in a clear and logical order.
Rating is easier than praising. (-:
My apologies for late response.
Thank you for your wonderful post. It covered every detail to configure admin and VPN access.
i have configured ISE policy sets as per your document and i achieved VPN authentication and admin access from a firewall.
i also have other policies for cisco Prime, WLC, VPN concentrator 3k series.Now i have challenges with policy matching.
Kindly suggest if there is any pilicy order or priority in cisco ISE ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: