Solved: FTD AnyConnect with ISE Auth based on Group Policy

leighharrison · ‎11-13-2020

Hello folks,

I've got AnyConnect VPN set up on FTD and I want to write a different policy set for AuthN/AuthZ based on the group-policy that they're attempting to connect to.

For example, if a users tries to connect to Group_A, I want them to hit a specific policy set in ISE for AuthN, AuthZ, if they're using Group_B, I want them to hit a different rule.

Reason being is that I've got different authentication methods for different people, i.e, 3rd parties are AuthN only with a RADIUS token server and internal users are AuthN and AuthZ based on AD groupings.

Best, Leigh

Mike.Cifelli · ‎11-13-2020

Try utilizing the following condition in your ISE authz policies to differentiate accordingly and steer proper authz result:

Cisco-VPN3000 CVPN3000/ASA/PIX7-Tunnel-Group-Name EQUALS <unique tunnel group>

For additional capabilities/options see VPN conditions under Unclassified->Cisco-VPN3000 dictionary.

HTH!

View solution in original post

leighharrison · ‎11-13-2020

All,

I've sorted it - for future reference it's here:-

It's under Cisco > CVPN3000/ASA/PIX7x-Tunnel-Group-Name

Good luck - hope it helps.

Best, Leigh

Mike.Cifelli · ‎11-13-2020

Try utilizing the following condition in your ISE authz policies to differentiate accordingly and steer proper authz result:

Cisco-VPN3000 CVPN3000/ASA/PIX7-Tunnel-Group-Name EQUALS <unique tunnel group>

For additional capabilities/options see VPN conditions under Unclassified->Cisco-VPN3000 dictionary.

HTH!