Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
5
Replies

ISE 1.3 --> ASA ssh and anyconnect attribute

Go to solution
khaled alodat
Level 1
Level 1

‎03-26-2015 09:32 AM - edited ‎03-10-2019 10:35 PM

Hi,

 

I've created a compound condition to match the anyconnect client and authorize them as required but the problem is , if the user does not match the anyconnect group and match the ssh group (user group only to ssh the ASA)  he get authenticated to anyconnect and get access to the default tunnel group.

anyconnect condition :  device type , NAS-PORT-Type=Virtual and Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type=Anyconnect-client

SSH condition  : Device type, NAS-PORT-Type=Virtual

 

basically , if user does not match the anyconnect condition he still can vpn through the SSH condition .

 

Thanks,

 

Khaled

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to khaled alodat

‎03-27-2015 02:22 PM

There are several ways you can do this. Probably the cleanest way is to use different Policy Sets. One for the VPN access and one for the device administration. 

But to keep things simple, you can use the same "Cisco-VPN3000...." attribute in your SSH condition but instead of "=" you can use "Not Equal" That way if the SSH session sees the AnyConnect client being used then the condition won't be matched. 

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎03-26-2015 03:08 PM

Hi Khaled-

A a couple of questions:

1. What is the operator set to in your compound condition? Do you have it set to "AND" or do you have it set to "OR" ?

2. Have you confirmed that the user is hitting the expected ISE rule when he/she succeeds the VPN authentication? I have had issues like that before only to realize that the users were hitting a different rule and being permitted access that way.

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
khaled alodat
Level 1
Level 1
In response to nspasov

‎03-27-2015 02:35 AM

Hi Neno,

I  will try to break the problem down. I use AND all the time .

 

User, NOT part of the VPN  group BUT part of the SSH group , if he try to vpn he will be authenticated (default authentication rule, which is not a problem) and will be authorized, but because the VPN authorization does NOT found it will not give access (normal), but as you now the request jump to the next rule to find a match, in this case the next rule is the SSH.

In the SSH rule, the user is configured but not for VPN only for SSH ,he will be granted access to the VPN, he will hit the DEFAULT Tunnel group and by default the DefaultGrupPolicy.

Is there any Unique attribute to lock down the SSH rule to only ssh?

 

Thanks for your help

 

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to khaled alodat

‎03-27-2015 02:22 PM

There are several ways you can do this. Probably the cleanest way is to use different Policy Sets. One for the VPN access and one for the device administration. 

But to keep things simple, you can use the same "Cisco-VPN3000...." attribute in your SSH condition but instead of "=" you can use "Not Equal" That way if the SSH session sees the AnyConnect client being used then the condition won't be matched. 

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
khaled alodat
Level 1
Level 1
In response to nspasov

‎03-30-2015 07:45 AM

I've tried it and its working fine.

thanks

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to khaled alodat

‎03-30-2015 09:58 AM

Awesome! Glad I was able to help! :)

0 Helpful
Customers Also Viewed These Support Documents