07-20-2021 09:07 AM
I currently use Cisco ASA with LDAP integration. User selects Connection profile and then ASA communicates with AD via LDAP. Authenticates the user and then the ASA will assign the user the proper Group Policy.
I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well.
On the ASA:
* I have the connection profile authentication method set to AAA and the AAA server group is talk to ISE via RADIUS.
On Cisco ISE
* I have an LDAP external ID source created. Schema set to Custom, my username comes through. Set to Active Directory, the username shows up as INVALID in live logs.
I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in.
Then make authorization policies / profile per group. If USER was found in LDAP:ExternalGroups then use this profile which would send back to the ASA the proper group policy tag.
Does this all sound right?
Solved! Go to Solution.
07-21-2021 05:45 AM
Thank you for the reply.
I figured this part of out it out. Don't even need to do LDAP really. When talking with AD, it replies back with the group and I can make an authorization policy around it.
My issue now is I am trying to do posturing as well. I would like to say,
* If unknown then A with THIS group policy.
* If non-compliant, then B with THIS group policy
* If Compliant AND this AD group.. then THIS group policy.
It works except if someone gets unknbown or non-compliant and fixes their client or PC, they will not get the new group policy.
07-20-2021 09:05 AM
I currently use Cisco ASA with LDAP integration. User selects Connection profile and then ASA communicates with AD via LDAP. Authenticates the user and then the ASA will assign the user the proper Group Policy.
I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well.
On the ASA:
* I have the connection profile authentication method set to AAA and the AAA server group is talk to ISE via RADIUS.
On Cisco ISE
* I have an LDAP external ID source created. Schema set to Custom, my username comes through. Set to Active Directory, the username shows up as INVALID in live logs.
I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in.
Then make authorization policies / profile per group. If USER was found in LDAP:ExternalGroups then use this profile which would send back to the ASA the proper group policy tag.
Does this all sound right?
07-20-2021 09:14 AM - edited 07-20-2021 09:14 AM
I am trying to make it so the Cisco ASA talks to ISE rather than AD directly. I want ISE to do LDAP. Is this possible? Ultimately I will tie posturing into this as well.
Now days this is standard setup with AD authenticaiton, via ISE
look at the below example guide :
07-20-2021 09:44 AM - edited 07-20-2021 09:47 AM
@mluszcz68 wrote
I want to make sure this is all possible before I continue on. It seems possible. I feel like I would need to make a Policy-Set per Identity group. Then within that unique policy, reference a different Authentication policy pointing to a unique LDAP server. Within that LDAP server group, i have specific groups added that I would want someone using a certain identity group to be searched for in.
You don't need to create multiple Policy Sets per identity group. Create 1 Policy Set (match on IP address of ASA IP or Device Group). Create an authentication rule to authenticate all users against AD/LDAP. Create multiple Authorisation Rules matching against the different groups.
07-21-2021 05:45 AM
Thank you for the reply.
I figured this part of out it out. Don't even need to do LDAP really. When talking with AD, it replies back with the group and I can make an authorization policy around it.
My issue now is I am trying to do posturing as well. I would like to say,
* If unknown then A with THIS group policy.
* If non-compliant, then B with THIS group policy
* If Compliant AND this AD group.. then THIS group policy.
It works except if someone gets unknbown or non-compliant and fixes their client or PC, they will not get the new group policy.
07-22-2021 02:04 AM
That won't work, changing the user from unknown/non-compliant to compliant relies on sending a COA, which can only update DACLs, SGT etc not change the group-policy.
What settings do you need to apply in the group policy?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide