Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
808
Views
0
Helpful
4
Replies

Block AnyConnect SSH / Telnet Access on Cisco ASA asa917-15 with TACACS+ ISE 2.2

faiqmahdi
Level 1
Level 1

‎06-10-2017 04:27 AM - edited ‎03-11-2019 12:46 AM

Hi Everyone 

ASA = ASA5510

Running = asa917-15-k8.bin

ISE Version = 2.2.0.470

ISSUE = AnyConnect Users can Login to ASA 

We have recently implemented Cisco ISE and we are using Microsoft Active Directory to Authenticate AnyConnect Users since all users are in Microsoft DC so I can not use the following command:

username MYUSER attributes
service-type remote-access

I created a TACACS Profile for AnyConnect users in ISE with following Profile Attributes:

priv-lvl=0
max_priv_lvl=0
timeout=1
idletime=1
service-type=remote-access

but service-type=remote-access attributes does not work and AnyConnect Users are still able to login to ASA, although they can not do much on ASA with Privilege Level 1 but we don't want to give them an access of ASA.  

Following are my ASA AAA configuration:

aaa-server ISE-GROUP protocol tacacs+
aaa-server ISE-GROUP (INSIDE) host xx.xx.xx.xx
aaa authentication http console ISE-GROUP LOCAL
aaa authentication ssh console ISE-GROUP LOCAL
aaa authentication enable console ISE-GROUP LOCAL
aaa authentication telnet console ISE-GROUP LOCAL
aaa authentication serial console ISE-GROUP LOCAL
aaa authorization command ISE-GROUP
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable

Any other technique or solution to block the access will really appreciate. 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-10-2017 11:24 PM

On ISE 2.2 you should be able to use the "DenyAll" shell profile as the default which non-authorized users (i.e. anybody not part of the privileged AD group(s) that allows device access).

See this example:

https://supportforums.cisco.com/discussion/13103531/ise-tacacs-authentication-log-deciding-if-you-should-have-access

0 Helpful

faiqmahdi
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2017 12:08 AM

Hi Marvin

Thank you very much for your response. 

If I DENY Shell Profile for AnyConnect AD Group, they are no longer able to Login AnyConnect since AnyConnect requires ASA "exec" access to Login.

Moreover, ASA doesn't have TACACS AutoCmd Attributes so while I put Logout or Exit command, It doesn't work. 

There could be a workaround if I allow only ASA exec Access but now sure, how to do it. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to faiqmahdi

‎06-11-2017 12:09 AM

I should have noted - you use the DENY shell profile only for TACACS+ authorization on your ISE servers.

The tunnel-group(s) for your AnyConnect users also use ISE but as a RADIUS server (e.g. something like "aaa-server ISE-RADIUS protocol radius" etc.). That way ISE can send CoA to the ASA according to the user authorization level for the AnyConnect sessions only.

Here are a couple more examples that you can draw from:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

https://www.petenetlive.com/KB/Article/0001155

0 Helpful

faiqmahdi
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2017 12:17 AM

Thanks Marvin for the direction, 

I shall give a shot and keep it posted. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents