I have a Cisco ASA configured as a VPN gateway using AnyConnect as the VPN client, and I plan to migrate to FTD soon. My remote access SSL VPN setup includes split tunneling with ISE posture assessment. However, I suspect I’m making a misconfiguration/misunderstanding because I need to create two authorization policies for each remote VPN group. Let me clarify the issue:
Example Scenario:
Users in Active Directory Group 1 must access a specific IP address:
IP 1: x.x.x.x/32
Current Configuration Steps in ASA:
- I create an object group in ASA and set the required IP(s) in it.
object-group network GROUP1
network-object host x.x.x.x
2.An access list to call it in DAP :
access-list DAP_ACL_GROUP1 extended permit ip object-group REMOTE_VPN_IPs object-group GROUP1
3.Creating Split tunnel ACL :
Access-list SPLIT_ACL_GROUP1 extended permit ip object-group GROUP1 any
4. Creating DAP access policy(DAP ACL):
dynamic-access-policy-record DAP_GROUP1
network-acl DAP_ACL_GROUP1
webvpn
http-proxy enable
Current Configuration Steps in ISE
1- An authorization policy GROUP1_NON :
I call the split tunnel (example: SPLIT_ACL_GROUP1 )
I call the dACL (Pemrit PSNs) and configure the redirect to ISE provisional portal
2- in authorization policy GROUP1_COM
I just call the DAP (for example DAP_GROUP1)
ISE checks the client’s posture (e.g., antivirus, firewall status) and assigns a compliance verdict. If compliant, the user matches the ISE "Posture Compliant" policy and gains access.
If non-compliant, the client have no access to anything.
Problem:
I require a setup where:
- All non-compliant users (regardless of group membership) match a single Non-Compliant policy with the same restricted split tunnel.
- Compliant users match group-specific policies with their specific split tunnel access (e.g., IPs/networks).
Currently, I’m forced to create duplicate policies for each group (one for compliant, one for non-compliant), which seems inefficient.
Current Versions:
ISE : 3.1 Patch 9
ASA : 9.14(4)24
