cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

524
Views
0
Helpful
4
Replies
faiqmahdi
Beginner

Block AnyConnect SSH / Telnet Access on Cisco ASA asa917-15 with TACACS+ ISE 2.2

Hi Everyone 

ASA = ASA5510

Running = asa917-15-k8.bin

ISE Version = 2.2.0.470

ISSUE = AnyConnect Users can Login to ASA 

We have recently implemented Cisco ISE and we are using Microsoft Active Directory to Authenticate AnyConnect Users since all users are in Microsoft DC so I can not use the following command:

username MYUSER attributes
service-type remote-access

I created a TACACS Profile for AnyConnect users in ISE with following Profile Attributes:

priv-lvl=0
max_priv_lvl=0
timeout=1
idletime=1
service-type=remote-access

but service-type=remote-access attributes does not work and AnyConnect Users are still able to login to ASA, although they can not do much on ASA with Privilege Level 1 but we don't want to give them an access of ASA.  

Following are my ASA AAA configuration:

aaa-server ISE-GROUP protocol tacacs+
aaa-server ISE-GROUP (INSIDE) host xx.xx.xx.xx
aaa authentication http console ISE-GROUP LOCAL
aaa authentication ssh console ISE-GROUP LOCAL
aaa authentication enable console ISE-GROUP LOCAL
aaa authentication telnet console ISE-GROUP LOCAL
aaa authentication serial console ISE-GROUP LOCAL
aaa authorization command ISE-GROUP
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable

Any other technique or solution to block the access will really appreciate. 

4 REPLIES 4
Marvin Rhoads
VIP Community Legend

On ISE 2.2 you should be able to use the "DenyAll" shell profile as the default which non-authorized users (i.e. anybody not part of the privileged AD group(s) that allows device access).

See this example:

https://supportforums.cisco.com/discussion/13103531/ise-tacacs-authentication-log-deciding-if-you-should-have-access