ā05-21-2020 01:36 PM
I'm having a weird issue with DACLS for users that VPN in and belong to specific AD groups:
Ultimately I have a DACL that I want assigned to users with a certain AD group membership when they hit our ASA via SSL VPN. My tunnel group uses ISE for authorization and it's configured as a Radius server. On ISE, I have the ASA in my device list and have a policy that points users that belong to a certain AD group known to ISE to an authorization profile that has my DACL tied to it. I know communication between ISE and ASA is present by looking at my radius logs. The funnything is if I try using ISE as my authentication server (which I don't plan to, I have another server for that) I can't login to VPN but get the DACL in the logs. If I do not use ISE for authC and purely use it for authZ, I can access the vpn fine, I just don't get the DACL.
Anybody got tips on what i'm missing?
ISE 2.6
Solved! Go to Solution.
ā05-22-2020 11:20 AM
Thanks everyone. Figured out my own problem. Turns out the dacl I was sending was over restrictive! Once I made some additions to the permissions things work great!
ā05-21-2020 04:52 PM
ā05-22-2020 07:22 AM
ā05-22-2020 06:59 AM
Looks like when you are just using authorization from ISE, you are hitting different authorization policy on ISE, but when using authentication and authorization both via ISE, different policy. Please confirm.
Attach the authentication report for both scenarios along with the dacl content (what you are permitting).
-Also need to take a look into the "sh tech" of the ASA
ā05-22-2020 07:18 AM
ā05-22-2020 11:20 AM
Thanks everyone. Figured out my own problem. Turns out the dacl I was sending was over restrictive! Once I made some additions to the permissions things work great!
ā11-12-2021 01:43 PM
I have the same problem. We have a ISE v2.7 patch4 deployment and a ASA for Remote VPN. Our ISE has a policy set for VPN access. This policy set has an Authorization policy which validates username, AD access group and Public IP (one policy per user), if everything matches then a result profile is applied. This profile sets the IP, mask and DACL for the remote VPN connection. What we want is to filter user“s traffic from ISE policies (and not from ASA with a DAP for example). Problem is if DACL is applied user can not login to VPN, if we remove DACL from profile user logs in without problems. We saw a weird behavior with DACL. If DACL has a "permit ip any any" only, it works for sure (but useless), but if we add another "permit" row before, user can“t login to VPN again. It seems like DACL supports only one rule for VPN connections. We also use DACL for 802.1x/MAB access in our campus switches and none of this problems happens.
we tried reversing order of IP on DACL“s rules (destination IP first and ANY after) but got the same problem (user can not log in).
Our ISE“s live logs shows VPN authentication successful and DACL download succeeded but user got "Login failed" error.
ā09-30-2022 01:39 PM
were you able to resolve this issues
ā09-30-2022 01:43 PM
I just resolve the issue by using regular subnet mask not wildcard for the ASAs seems is different compare to the switches
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide