cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
4
Replies

Block AnyConnect SSH / Telnet Access on Cisco ASA asa917-15 with TACACS+ ISE 2.2

faiqmahdi
Level 1
Level 1

Hi Everyone 

ASA = ASA5510

Running = asa917-15-k8.bin

ISE Version = 2.2.0.470

ISSUE = AnyConnect Users can Login to ASA 

We have recently implemented Cisco ISE and we are using Microsoft Active Directory to Authenticate AnyConnect Users since all users are in Microsoft DC so I can not use the following command:

username MYUSER attributes
service-type remote-access

I created a TACACS Profile for AnyConnect users in ISE with following Profile Attributes:

priv-lvl=0
max_priv_lvl=0
timeout=1
idletime=1
service-type=remote-access

but service-type=remote-access attributes does not work and AnyConnect Users are still able to login to ASA, although they can not do much on ASA with Privilege Level 1 but we don't want to give them an access of ASA.  

Following are my ASA AAA configuration:

aaa-server ISE-GROUP protocol tacacs+
aaa-server ISE-GROUP (INSIDE) host xx.xx.xx.xx
aaa authentication http console ISE-GROUP LOCAL
aaa authentication ssh console ISE-GROUP LOCAL
aaa authentication enable console ISE-GROUP LOCAL
aaa authentication telnet console ISE-GROUP LOCAL
aaa authentication serial console ISE-GROUP LOCAL
aaa authorization command ISE-GROUP
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable

Any other technique or solution to block the access will really appreciate. 

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

On ISE 2.2 you should be able to use the "DenyAll" shell profile as the default which non-authorized users (i.e. anybody not part of the privileged AD group(s) that allows device access).

See this example:

https://supportforums.cisco.com/discussion/13103531/ise-tacacs-authentication-log-deciding-if-you-should-have-access

Hi Marvin

Thank you very much for your response. 

If I DENY Shell Profile for AnyConnect AD Group, they are no longer able to Login AnyConnect since AnyConnect requires ASA "exec" access to Login.

Moreover, ASA doesn't have TACACS AutoCmd Attributes so while I put Logout or Exit command, It doesn't work. 

There could be a workaround if I allow only ASA exec Access but now sure, how to do it. 

I should have noted - you use the DENY shell profile only for TACACS+ authorization on your ISE servers.

The tunnel-group(s) for your AnyConnect users also use ISE but as a RADIUS server (e.g. something like "aaa-server ISE-RADIUS protocol radius" etc.). That way ISE can send CoA to the ASA according to the user authorization level for the AnyConnect sessions only.

Here are a couple more examples that you can draw from:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

https://www.petenetlive.com/KB/Article/0001155

Thanks Marvin for the direction, 

I shall give a shot and keep it posted.