Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
10
Helpful
3
Replies

ISE Policy Set Question

Go to solution
benolyndav
Level 4
Level 4

‎08-04-2022 08:24 AM - edited ‎08-04-2022 08:25 AM

Hi

We have an exisiting ISE deployment and I am in the middle of trying to set up anyconnect, would I be best creating a new policy set for  anyconnect use and would this interfere with the esisting Policy Set.?

Also whats the best way to create a Radius rule for Anyconnect I have a AD group for the authorisation so was thinking of for AuthZ

policy =

Network Device Firewall and AD group =  then AuthZ profile for a DACL for Anyconnect users.

is this ok .??

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎08-04-2022 09:58 AM

Hi @benolyndav 

Create a new Policy Set, the condition to match the Policy Set can be "Radius Nas IP Address + x.x.x.x". Yes, the Policy Sets are matched top down, if the connection request does not come from the FTD, then the next policy set would be attempted.

Yes, the authorisation rule example would work - the FTD uses the same RADIUS attributes as the ASA. Authorisation Rules are also matched from top down, until a match found.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-04-2022 08:34 AM - edited ‎08-04-2022 08:38 AM

@benolyndav if this is for AnyConnect users for Remote Access, then yes personally I'd setup a Policy Set which is separate to Wired/Wireless. You can match on a condition of the NAS IP address of the Firewall (ASA/FTD) for the Policy Set, which would therefore not apply to existing Wired/Wireless policy set - though that depends on the condition you already use.

For specific Authorisation rules you can match on the AD Group(s), if multiple tunnel-groups you can match on the ASA/FTD tunnel group - use the condition "Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type" EQUAL <tunnel-group name>

 

 

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎08-04-2022 09:49 AM - edited ‎08-04-2022 09:50 AM

 

Hi Rob
so .

1.new policy set 

2.Authentication = Radius Nas IP Address + x.x.x.x,   is radius allowe when using default network access as allowed protocols.??

also the below looks like something i will use can it be used for FTD.?

For specific Authorisation rules you can match on the AD Group(s), if multiple tunnel-groups you can match on the ASA/FTD tunnel group - use the condition "Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type" EQUAL <tunnel-group name>

also are policy sets/rules checked ina top down fashion untill a match is found ??

 

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎08-04-2022 09:58 AM

Hi @benolyndav 

Create a new Policy Set, the condition to match the Policy Set can be "Radius Nas IP Address + x.x.x.x". Yes, the Policy Sets are matched top down, if the connection request does not come from the FTD, then the next policy set would be attempted.

Yes, the authorisation rule example would work - the FTD uses the same RADIUS attributes as the ASA. Authorisation Rules are also matched from top down, until a match found.

Customers Also Viewed These Support Documents