Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5212
Views
15
Helpful
6
Replies

Cisco ISE DACLS and AnyConnect

Go to solution
Dave Diependaal
Level 1
Level 1

‎11-25-2018 05:11 AM - edited ‎11-25-2018 05:18 AM

I have a task where I need to migrate RAS users from a Juniper SA towards a Cisco ASA. The Juniper was checking group membership in AD. If a user was member of multiple groups in AD (all with their own ACL), the Juniper was merging/appending all these ACL's in one big ACL and pushed this back to the user.

 

I need this for my 3rd party (external) users. My internal RAS users are already configured and get the DACL pushed from ISE by means of Radius (incl other tunnel attributes).

 

Is there a way to do the same with ISE and if not with ISE is it possible to do this on the ASA?

Some more details. I am using ISE 2.0 SP 4. The ASA's are running 9.8.2 and I am using almost the latest AnyConnect client version.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee
In response to Dave Diependaal

‎11-25-2018 08:23 AM

To my knowledge this is not possible. I have tried to use multiple authorization profile in authorization policy but it didn't help.

View solution in original post

6 Replies 6

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-25-2018 07:50 AM

From ISE you can push different DACL for users and also can assign then different group policy.

 

Following I have tested in lab:

 

1> ASA have following group policy

ASA-VPN1.png

 

2> Authorization policy on ISE: Here I am assigning a authorization profile to user based on AD group.
ASA-VPN6.png

 

3> I have created following authorization profile and I am assigning a DACL

ASA-VPN4.png

 

ASA-VPN3.png

4> Following DACL got pushed on ASA:

ASA-VPN2.png

 

End user is able to ping to only IP allowed in DACL

ASA-VPN5.png

Hope this helps!

Go to solution
Dave Diependaal
Level 1
Level 1
In response to pan

‎11-25-2018 08:08 AM

Thank you for that but this I have working already. My challenge is that a user is member of multiple AD groups. Each AD group has its own ACL. The Juniper is creating one big ACL. I made an export if all the existing Juniper ACLs and converted this to the Cisco standard.

 

All these ACLs will be created on ISE.

But how can I let ISE do the same like what the Juniper was doing? Match a user that connects by Anyconnect against the security groups and append/merge all the corresponding ACLs and push one big ACL to the end-user.

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to Dave Diependaal

‎11-25-2018 08:23 AM

To my knowledge this is not possible. I have tried to use multiple authorization profile in authorization policy but it didn't help.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to pan

‎11-25-2018 09:07 AM

Correct there are posts about this already
0 Helpful

Go to solution
Dave Diependaal
Level 1
Level 1
In response to pan

‎11-25-2018 09:12 AM

Not sure what to say or think. ISE is Cisco’s flagship. The device that i am phasing out is old and end-of-life but is able to do this. I guess the only option left is to create new ACLs :( Thanks for answering soo fast, really appreciated!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dave Diependaal

‎11-25-2018 09:38 AM

You might want to look into segmentation using SGTs
0 Helpful
Customers Also Viewed These Support Documents