03-26-2015 09:32 AM - edited 03-10-2019 10:35 PM
Hi,
I've created a compound condition to match the anyconnect client and authorize them as required but the problem is , if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA) he get authenticated to anyconnect and get access to the default tunnel group.
anyconnect condition : device type , NAS-PORT-Type=Virtual and Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type=Anyconnect-client
SSH condition : Device type, NAS-PORT-Type=Virtual
basically , if user does not match the anyconnect condition he still can vpn through the SSH condition .
Thanks,
Khaled
Solved! Go to Solution.
03-27-2015 02:22 PM
There are several ways you can do this. Probably the cleanest way is to use different Policy Sets. One for the VPN access and one for the device administration.
But to keep things simple, you can use the same "Cisco-VPN3000...." attribute in your SSH condition but instead of "=" you can use "Not Equal" That way if the SSH session sees the AnyConnect client being used then the condition won't be matched.
Thank you for rating helpful posts!
03-26-2015 03:08 PM
Hi Khaled-
A a couple of questions:
1. What is the operator set to in your compound condition? Do you have it set to "AND" or do you have it set to "OR" ?
2. Have you confirmed that the user is hitting the expected ISE rule when he/she succeeds the VPN authentication? I have had issues like that before only to realize that the users were hitting a different rule and being permitted access that way.
Thank you for rating helpful posts!
03-27-2015 02:35 AM
Hi Neno,
I will try to break the problem down. I use AND all the time .
User, NOT part of the VPN group BUT part of the SSH group , if he try to vpn he will be authenticated (default authentication rule, which is not a problem) and will be authorized, but because the VPN authorization does NOT found it will not give access (normal), but as you now the request jump to the next rule to find a match, in this case the next rule is the SSH.
In the SSH rule, the user is configured but not for VPN only for SSH ,he will be granted access to the VPN, he will hit the DEFAULT Tunnel group and by default the DefaultGrupPolicy.
Is there any Unique attribute to lock down the SSH rule to only ssh?
Thanks for your help
03-27-2015 02:22 PM
There are several ways you can do this. Probably the cleanest way is to use different Policy Sets. One for the VPN access and one for the device administration.
But to keep things simple, you can use the same "Cisco-VPN3000...." attribute in your SSH condition but instead of "=" you can use "Not Equal" That way if the SSH session sees the AnyConnect client being used then the condition won't be matched.
Thank you for rating helpful posts!
03-30-2015 07:45 AM
I've tried it and its working fine.
thanks
03-30-2015 09:58 AM
Awesome! Glad I was able to help! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide