Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2800
Views
5
Helpful
5
Replies

Cisco ISE with AnyConnect and LDAP.

Go to solution
mluszcz68
Level 1
Level 1

‎07-20-2021 09:07 AM

I currently use Cisco ASA with LDAP integration. User selects Connection profile and then ASA communicates with AD via LDAP. Authenticates the user and then the ASA will assign the user the proper Group Policy.

 

I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well. 

 

On the ASA:

* I have the connection profile authentication method set to AAA and the AAA server group is talk to ISE via RADIUS. 

 

On Cisco ISE

* I have an LDAP external ID source created. Schema set to Custom, my username comes through. Set to Active Directory, the username shows up as INVALID in live logs. 

 

I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in. 

 

Then make authorization policies / profile per group. If USER was found in LDAP:ExternalGroups then use this profile which would send back to the ASA the proper group policy tag. 

 

Does this all sound right? 

1 Accepted Solution

Accepted Solutions

Go to solution
mluszcz68
Level 1
Level 1
In response to Rob Ingram

‎07-21-2021 05:45 AM

Thank you for the reply. 

 

I figured this part of out it out. Don't even need to do LDAP really. When talking with AD, it replies back with the group and I can make an authorization policy around it. 

 

My issue now is I am trying to do posturing as well. I would like to say, 

 

* If unknown then A with THIS group policy. 

* If non-compliant, then B with THIS group policy

* If Compliant AND this AD group.. then THIS group policy.

 

It works except if someone gets unknbown or non-compliant and fixes their client or PC, they will not get the new group policy. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mluszcz68
Level 1
Level 1

‎07-20-2021 09:05 AM

I currently use Cisco ASA with LDAP integration. User selects Connection profile and then ASA communicates with AD via LDAP. Authenticates the user and then the ASA will assign the user the proper Group Policy.

 

I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well. 

 

On the ASA:

* I have the connection profile authentication method set to AAA and the AAA server group is talk to ISE via RADIUS. 

 

On Cisco ISE

* I have an LDAP external ID source created. Schema set to Custom, my username comes through. Set to Active Directory, the username shows up as INVALID in live logs. 

 

I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in. 

 

Then make authorization policies / profile per group. If USER was found in LDAP:ExternalGroups then use this profile which would send back to the ASA the proper group policy tag. 

 

Does this all sound right? 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mluszcz68

‎07-20-2021 09:14 AM - edited ‎07-20-2021 09:14 AM

 

 

 

I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well.

Now days this is standard setup with AD authenticaiton, via ISE

 

look at the below example  guide :

 

https://www.petenetlive.com/KB/Article/0001155

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mluszcz68

‎07-20-2021 09:44 AM - edited ‎07-20-2021 09:47 AM

@mluszcz68 

@mluszcz68 wrote

I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in. 

 

You don't need to create multiple Policy Sets per identity group. Create 1 Policy Set (match on IP address of ASA IP or Device Group). Create an authentication rule to authenticate all users against AD/LDAP. Create multiple Authorisation Rules matching against the different groups.

 

0 Helpful

Go to solution
mluszcz68
Level 1
Level 1
In response to Rob Ingram

‎07-21-2021 05:45 AM

Thank you for the reply. 

 

I figured this part of out it out. Don't even need to do LDAP really. When talking with AD, it replies back with the group and I can make an authorization policy around it. 

 

My issue now is I am trying to do posturing as well. I would like to say, 

 

* If unknown then A with THIS group policy. 

* If non-compliant, then B with THIS group policy

* If Compliant AND this AD group.. then THIS group policy.

 

It works except if someone gets unknbown or non-compliant and fixes their client or PC, they will not get the new group policy. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mluszcz68

‎07-22-2021 02:04 AM

@mluszcz68 

That won't work, changing the user from unknown/non-compliant to compliant relies on sending a COA, which can only update DACLs, SGT etc not change the group-policy.

 

What settings do you need to apply in the group policy?

0 Helpful
Customers Also Viewed These Support Documents