Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4235
Views
20
Helpful
3
Replies

ASA VPN and Admin access from cisco ISE

Go to solution
srihari4cisco
Level 1
Level 1

‎09-18-2015 03:25 AM - edited ‎03-10-2019 11:04 PM

Hello ,

Currently i am deploying anyconnect VPN Solution for my customer on ASA 9.2(3). We are using ISE 1.3 for authenticating the remote users.

In Policy sets conditions i set the condition as below.

 

Policy Name : Anyconnect

Condition :  DEVICE:Device Type EQUALS Device Type#All Device Types#Dial-in Access AND 
Radius:NAS-Port-Type EQUALS Virtual 

I am authentication the users against the AD.

I am also restricting users based on group membership in authorization policies using OU attributes.

This works as expected for remote users.

 

We are also using ISE for authenticating the administrators to login to firewall. Now what happening is, Cisco ASA is validating administrators also against Anyconnect policy name and failing them.

Now the question is , how to configure different policy condition for network admin  access and VPN users from the same firewall.

 

Any suggestion on this would be a great help.

Cheers,

Sri

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Koltl
Level 7
Level 7
In response to srihari4cisco

‎09-22-2015 08:00 AM

If it is set to First Matched Rules Apply, then the evaluation is sequential (top-down). It's up to you to organize the rules in a clear and logical order.

 

Rating is easier than praising. (-:

View solution in original post

3 Replies 3

Go to solution
srihari4cisco
Level 1
Level 1
In response to Peter Koltl

‎09-22-2015 12:55 AM

Hello Peter,

 

My apologies for late response.

Thank you for your wonderful post. It covered every detail to configure admin and VPN access.

i have configured ISE policy sets as per your document and i achieved VPN authentication and admin access from a firewall. 

i also have other policies for cisco Prime, WLC, VPN concentrator 3k series.Now i have challenges with policy matching.

Kindly suggest if there is any pilicy order or priority in cisco ISE ?

 

Best Regards,

Sri

 

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to srihari4cisco

‎09-22-2015 08:00 AM

If it is set to First Matched Rules Apply, then the evaluation is sequential (top-down). It's up to you to organize the rules in a clear and logical order.

 

Rating is easier than praising. (-:

Customers Also Viewed These Support Documents