Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2250
Views
10
Helpful
4
Replies

How two policy sets in ISE one for device login and one for anyconnect

Go to solution
ssajiby2k
Level 1
Level 1

‎09-17-2020 04:11 AM

Hi,

 

I am trying to achieve this goal below in ISE-

 

1. One policy set which gives networkadmin users from domain; administrative priviledge to Cisco ASA ssh login.

2. Another policy which gives domain users access through anyconnect vpn.

 

In windows NPS radius we can create policies where active directory groups are part of policy conditions.

 

But in ISE I cannot do that.

 

I am attaching a picture of my setup.

 

As far as I have understand, a policy set first matches with conditions first. Then checks authentication and authorization policies. So, for me anyconnect users cannot go to their policy set; because I cannot use my ad group as a condition in the policy set.

 

Help is much appriciated.

 

Regards

 

 

Preview file
60 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ssajiby2k
Level 1
Level 1

‎09-17-2020 01:31 PM

@Rob Ingram 

 

Many thanks for your tips.

 

Now it works.

 

I still do not understand, why ISE has no facility to bind a AD group as a condition in policy sets even after so many years.

 

When Ad group is accessible as a condition; we do not need to play with these strange dictionary and attributes.

 

As for me; "netadmins" group in AD and it's sole purpose is users who have administrative access to network devices.

 

Anyway many thanks for the help.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 05:28 AM

Hi @ssajiby2k 

I assume you are using RADIUS for mgmt and not TACACS?

 

Consider using Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name <TUNNEL-GROUP NAME> or alternatively Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type <AnyConnect-Client-SSL-VPN> in your rules.

 

For example your "ASA-Login" rule you could specify does not equals AnyConnect-Client Type or SSL-VPN or IPSec. If an admin authenticates using SSH, they will match that rule. If a user connects with the AnyConnect client they will not match that rule and skip to the next rule.

 

Or specify does not equals the Tunnel-Group name(s), therefore it must be an admin authentication.

 

HTH

 

0 Helpful

Go to solution
ssajiby2k
Level 1
Level 1

‎09-17-2020 01:31 PM

@Rob Ingram 

 

Many thanks for your tips.

 

Now it works.

 

I still do not understand, why ISE has no facility to bind a AD group as a condition in policy sets even after so many years.

 

When Ad group is accessible as a condition; we do not need to play with these strange dictionary and attributes.

 

As for me; "netadmins" group in AD and it's sole purpose is users who have administrative access to network devices.

 

Anyway many thanks for the help.

 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to ssajiby2k

‎09-18-2020 09:46 PM

Hi @ssajiby2k 

 have you try this:

 Administration > Identity Management > External Identity Sources:
 Active Directory > <select the AD>
  On Groups tab > Add > Select Groups from Directory
   <Add the AD Group>

 

Policy > Policy Sets >
 select the Policy Set Name
 Authorization Policy > select the Rule Name
  Conditions:
  Attributes: ExternalGroups
  <Choose the AD Group that you added before>

 

ExternalGroups.png

 

 

Hope this helps !!!

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to ssajiby2k

‎09-22-2020 08:32 PM

ISE does not offer an AD group for choosing a Policy Set because you have not yet been authenticated. How do we even know you will be authenticated with AD? Maybe we need to try multiple AD domains in an Identity Source Sequence.

All ISE has to quickly make a decision for which Policy Set to use for Authentication and Authorization is the RADIUS attributes in the initial RADIUS request.

With Microsoft NPS, the AD domain is your only option for authentication so they will authenticate first then choose policies based on groups.

Customers Also Viewed These Support Documents