Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
5
Helpful
6
Replies

Connection profile detection in ISE

Go to solution
martinlarsen
Level 1
Level 1

‎02-13-2018 05:38 AM - edited ‎02-21-2020 10:45 AM

I would like to set up an alternate connection profile in the ASA for testing posture assessment when authenticating via ISE.  It is well known that AV pair 25 can be used to assign the group policy.  Is there a way for ISE to determine the connection profile?  This way test testers can get in with or without going through posture assessment during the test period.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
abhishek.marat1
Level 1
Level 1

‎02-13-2018 07:21 AM

Please try using:

 

Cisco-VPN3000:CVPN3000/ASA/PIX7x-SVC-Profiles contains "Connection profile name".

 

Attaching a screenshot.

 

P.S: Please marked my comment as accepted solution if it works, thank you!

 

 

View solution in original post

Preview file
46 KB

Go to solution
martinlarsen
Level 1
Level 1
In response to Rob Ingram

‎02-14-2018 11:39 AM

It is working now.  CVPN3000/ASA/PIX7x-Tunnel-Group-Name is the proper attribute to check.

 

In the earlier screen shot, the results shown were cached from previous authentications.  Disabling "Suppress repeated successful authentications" corrected how it showed up in the logging.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
abhishek.marat1
Level 1
Level 1

‎02-13-2018 07:21 AM

Please try using:

 

Cisco-VPN3000:CVPN3000/ASA/PIX7x-SVC-Profiles contains "Connection profile name".

 

Attaching a screenshot.

 

P.S: Please marked my comment as accepted solution if it works, thank you!

 

 

Preview file
46 KB

Go to solution
martinlarsen
Level 1
Level 1

‎02-14-2018 08:48 AM

I jumped the gun clicking on the "Solved" button.  I see in the following message in the authentication steps in ISE, but there is no answer.

 

15048

Queried PIP - Cisco-VPN3000.CVPN3000/ASA/PIX7x-SVC-Profiles

 

I do see an entry for CVPN3000/ASA/PIX7x-Tunnel-Group-Name in "Other Attributes".  This entry is just plain wrong.  It lists the name of a different connection profile in the ASA; not the one connected to in this session.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to martinlarsen

‎02-14-2018 10:53 AM

"CVPN3000/ASA/PIX7x-Tunnel-Group-Name" EQUALS Profile-Name < this works for me. I can create multiple AuthZ rules in ISE and match on each rule depending on which Tunnel Group the user connects to (via drop down box in AC).

What is the output of "Tunnel-Group:" when you run "show vpn-sessiondb detail anyconnect"? That should match the Tunnel-Group in the ISE Live logs.
0 Helpful

Go to solution
martinlarsen
Level 1
Level 1
In response to Rob Ingram

‎02-14-2018 11:01 AM

Connection_Policy_Mismatch.PNG

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to martinlarsen

‎02-14-2018 11:04 AM

Do you have a certificate map overriding the tunnel-group?
0 Helpful

Go to solution
martinlarsen
Level 1
Level 1
In response to Rob Ingram

‎02-14-2018 11:39 AM

It is working now.  CVPN3000/ASA/PIX7x-Tunnel-Group-Name is the proper attribute to check.

 

In the earlier screen shot, the results shown were cached from previous authentications.  Disabling "Suppress repeated successful authentications" corrected how it showed up in the logging.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents