Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

524
Views
0
Helpful
4
Replies
faiqmahdi
Beginner
Beginner
‎06-10-2017 04:27 AM
‎06-10-2017 04:27 AM

Block AnyConnect SSH / Telnet Access on Cisco ASA asa917-15 with TACACS+ ISE 2.2

Hi Everyone 

ASA = ASA5510

Running = asa917-15-k8.bin

ISE Version = 2.2.0.470

ISSUE = AnyConnect Users can Login to ASA 

We have recently implemented Cisco ISE and we are using Microsoft Active Directory to Authenticate AnyConnect Users since all users are in Microsoft DC so I can not use the following command:

username MYUSER attributes
service-type remote-access

I created a TACACS Profile for AnyConnect users in ISE with following Profile Attributes:

priv-lvl=0
max_priv_lvl=0
timeout=1
idletime=1
service-type=remote-access

but service-type=remote-access attributes does not work and AnyConnect Users are still able to login to ASA, although they can not do much on ASA with Privilege Level 1 but we don't want to give them an access of ASA.  

Following are my ASA AAA configuration:

aaa-server ISE-GROUP protocol tacacs+
aaa-server ISE-GROUP (INSIDE) host xx.xx.xx.xx
aaa authentication http console ISE-GROUP LOCAL
aaa authentication ssh console ISE-GROUP LOCAL
aaa authentication enable console ISE-GROUP LOCAL
aaa authentication telnet console ISE-GROUP LOCAL
aaa authentication serial console ISE-GROUP LOCAL
aaa authorization command ISE-GROUP
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable

Any other technique or solution to block the access will really appreciate. 

Labels:
0 Helpful
4 REPLIES 4
Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
‎06-10-2017 11:24 PM
‎06-10-2017 11:24 PM

On ISE 2.2 you should be able to use the "DenyAll" shell profile as the default which non-authorized users (i.e. anybody not part of the privileged AD group(s) that allows device access).

See this example:

https://supportforums.cisco.com/discussion/13103531/ise-tacacs-authentication-log-deciding-if-you-should-have-access

0 Helpful
faiqmahdi
Beginner
Beginner
In response to Marvin Rhoads