cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
5
Helpful
6
Replies

Single Click Approval for AnyConnect RA VPN

jdansie
Cisco Employee
Cisco Employee

Would it be possible to support AnyConnect remote access VPN users with Single Click approval?  The customer use case is having contractors that need one time access to internal network resources via AnyConnect remote access VPN leveraging the Single Click approval capability to approve the request when one of the vendors needs temporary access. They don't want to store and reuse the contractor accounts, they only want to use them one time and make the approval process easy for the admins to approve. 

I know that the use case for Single Click approval is for guest access, but curious if we can use the same feature to approve "guest access" for contractors for AnyConnect remote access VPN.  In theory I don't see why this wouldn't work, but wanted some additional insight including if it would be supported by TAC if it functionally works. 

From an AnyConnect/ASA perspective, the AnyConnect client would already be deployed and the contractors would have the correct AC profile installed. 

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Yes under the guest type for contractor you would allow guest to bypass portal

The contractor would login with those credentials using AnyConnect

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee

Yes under the guest type for contractor you would allow guest to bypass portal

The contractor would login with those credentials using AnyConnect

I would be curious what you envision the flow to be here as single click approval is part of a self-registration guest flow and you are talking VPN.  In theory you could:

1) Make a self-registering guest portal accessible via the Internet to one or more of your PSNs.  The URL could look something like https://vendor-register.mycompany.com:8443/<portal ID>.

2) You could probably do portal manipulation to hide the username and password section of the portal. 

3) Change the test for "Don't have an account?" to "Click here to register for vendor VPN account.".

4) Once they go through the self-registration process the sponsor would get the single click link and be able to approve/deny the access.

5) Once approved the vendor would get an email back with their credentials.  You could also add in the VPN group URL to the tunnel group the vendor should connect to, something like https://vpn.mycompany.com/onetimevendor.

6) Then you could setup a policy set specifically for the One Time Vendor VPN that keys on that tunnel group name and looks at the Guest Users for the identity source.

7) The authorization rule would only allow that Guest Type to login.

That all should work, but the interesting thing to test would be the one time use concept.  I would try setting the guest type to only allow 1 login and set the account to expire 1 minute after first login.  I am not sure if VPN authentication vs. guest portal use will properly track the first login concept.

Interesting use case.

Thanks, Jason.  With this scenario, can we configure ISE to apply a maximum access time limit to the user account that was granted access that will be enforced on the ASA?  Such as if user "A" is granted access, they only have network access for two hours, and then ISE can send a request to the ASA to terminate the connection?  Obviously we can do this on the guest wireless side where a WLC will drop the connection, but curious if the same thing could be used with the ASA to terminate the VPN tunnel.

I know it will work with subsequent logins after the maximum access time limit expires and they won't be able to log in again, but the customer is more concerned with the tunnel being able to stay up for a longer period of time than the guest user is granted access for and not have anything force the disconnect.  On the ASA we can configure a per-group max session timeout value as a safety net, but the customer will need to change the maximum session limit depending on the individual guest user request and therefore this wouldn't be optimal for them.

You can easily map to different group policies on the ASA based on Guest Types in ISE.  Do setup group policies with max connect times based on Vendor types (2 hour, 8 hour, 24 hour etc.) and then apply those group policies based on what Guest Type the approve puts them in.

Remember with single click you don't get to assign a guest type.  The single click process will assign them to the guest type for that portal, i.e. let's say 2 hours.  If the sponsor wants to change the guest type they need to log into the sponsor portal and change the guest type.  Might be just easier to have them just do a sponsored process instead of single click.

You could also try setting the session timeout (reauthentication) value on the result.  I haven't tested to see if the ASA respects that setting or not.

jdansie
Cisco Employee
Cisco Employee

Awesome, great info...thanks Paul!