01-14-2016 08:38 PM - edited 03-10-2019 11:23 PM
Company Acme wants to use ISE to authenticate against their VPN. They have different connection profiles for different access. They don’t use the dropdown, they use the URL.
We have three test users
User1:
Memberof: pci,it, users
User2:
Memberof: facilities, users
User3:
Memberof, users, it
I don’t think we can break out connection profiles in ISE, so how would we make sure this work?
if User3 connects to the acme.com/it how do we make sure he gets the IT access rather than user?
If User2 connects to acme.com/user how do we make sure he gets user privilege rather than facilities?
In the past I've used NPS and I haven't had the issue of overlapping groups like this.
Thanks!
Solved! Go to Solution.
01-15-2016 08:29 AM
Will, two things come to mind here:
1. You can override the "tunnel group" the VPN user lands on by using the "class = " attribute in ISE under the authorization profile that you return. It is called "ASA VPN" under the "common tasks" That way if a user connects to the wrong tunnel group he/she would be placed in the correct group after authorization takes place. Then you will control the user access with vpn filters
2. Utilize DACLs. With DACLs the customer can utilize a single tunnel group for all of its VPN users and just limit access via DACLs. I like this approach better since vpn-filters are local to each ASA so if the customer has 10 ASAs then they would have to go an update 10 ASAs manually (Unless they have CSM)
I hope this helps!
Thank you for rating helpful posts!
01-22-2016 07:15 PM
Sorry for the delayed reply Will! Yes, you are correct that once a rule is matched the process will stop and the associated authorization policy will be selected.
One way you could resolve your problems is to create specific rules or even specific policy sets for each individual tunnel group. You can accomplish this by utilizing the following attribute:
CVPN3000/ASA/PIX7x-Tunnel-Group-Name = value
So your rule could be something like this:
if
CVPN3000/ASA/PIX7x-Tunnel-Group-Name = HVAC
and
external identity group = HVAC
Then
HVAC_Access_Only
Question for you: Why does User A belong to PCI and HR groups of he/she should only have access to HVAC? :)
Thank you for rating helpful posts!
01-14-2016 11:10 PM
Hi,
As per your description you wish that each group of users should get different level of network access.
>>As per the description, i see that you are using a separate tunnel-group for each group.
>>Each tunnel-group has a different group-url which means the user will directly land on the specific tunnel group.
>>There are different ways to provide different level of network access:
1- You can configure a separate group-policy for each tunnel-group and apply separate split-tunnel access-list(standard acl) to each group-policy.
For example:
Consider IT will have access to only 10.10.10.0/24 and User will have access to only 10.10.20.0/24
For IT:
access-list split-it permit 10.10.10.0 255.255.255.0
group-policy IT-pol internal
group-policy IT-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit
tunnel-group IT-grp type remote-access-list
tunnel-group IT-grp general-attributes
default-group-policy IT-pol
For User:
access-list split-user permit 10.10.20.0 255.255.255.0
group-policy User-pol internal
group-policy User-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit
tunnel-group User-grp type remote-access-list
tunnel-group User-grp general-attributes
default-group-policy User-pol
As per the above when users will connect to different tunnel-group they will different group-policy and will have different ACL specified.
let me know if you have any more queries.
Regards,
Mrutunjay Sethi
01-15-2016 07:50 AM
This makes a lot of sense, in the past I've used NPS to push attribute 25 to apply a Group-Policy.
My concern is around ISE where you can't make an AUTHZ decision when the user resides in multiple groups.
I'm having trouble articulating this, but as you see the users above are in all sorts of differnet groups, so how do you make sure they get the right AuthZ profile based on what Tunnel-Group they connect to?
Example ISE Policy:
if user is member of AD-1/PCI then push GroupPolicy PCI
if user is member of AD-1/IT then push GroupPolicy IT
if user is member of AD-1/User then push GroupPolicy User
The group Policy push would obviously be attribute 25.
Now if User1 connects to the User tunnel-group, he would still match the PCI AuthZ profile right? How do I get around that?
01-15-2016 01:38 AM
Hi..
I think this link has same question as yours https://supportforums.cisco.com/discussion/12129661/ise-assign-group-policies-asa
If you use ASA, you have to
1. create tunnel-groups;
2. create group-policies,
3. assign each tunnel-group to a group-policy.
4. create authz profiles on ISE, and map this authz profile to your group policy (visit that link, to see how to do that)
5. create authz policies, and assign your authz profiles to it.
Cheers !
ak
01-15-2016 08:29 AM
Will, two things come to mind here:
1. You can override the "tunnel group" the VPN user lands on by using the "class = " attribute in ISE under the authorization profile that you return. It is called "ASA VPN" under the "common tasks" That way if a user connects to the wrong tunnel group he/she would be placed in the correct group after authorization takes place. Then you will control the user access with vpn filters
2. Utilize DACLs. With DACLs the customer can utilize a single tunnel group for all of its VPN users and just limit access via DACLs. I like this approach better since vpn-filters are local to each ASA so if the customer has 10 ASAs then they would have to go an update 10 ASAs manually (Unless they have CSM)
I hope this helps!
Thank you for rating helpful posts!
01-16-2016 07:40 PM
So here is where my confusion comes in.
Company has tons of users all in tons of different groups. They have User A. UserA is PCI , HR, and HVAC.
If he connects to the HVAC how do we make sure he gets access to just HVAC?
If we use a tunnel-group override on ISE he will hit the first match, and depending on how the AuthZ rules are ordered he could match the PCI rule, since he is a member of that to...
I might not be articulating this right, but does that make sense?
01-22-2016 07:15 PM
Sorry for the delayed reply Will! Yes, you are correct that once a rule is matched the process will stop and the associated authorization policy will be selected.
One way you could resolve your problems is to create specific rules or even specific policy sets for each individual tunnel group. You can accomplish this by utilizing the following attribute:
CVPN3000/ASA/PIX7x-Tunnel-Group-Name = value
So your rule could be something like this:
if
CVPN3000/ASA/PIX7x-Tunnel-Group-Name = HVAC
and
external identity group = HVAC
Then
HVAC_Access_Only
Question for you: Why does User A belong to PCI and HR groups of he/she should only have access to HVAC? :)
Thank you for rating helpful posts!
09-03-2019 10:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide