Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2270
Views
5
Helpful
3
Replies

Specific Multi-Match RADIUS/LDAP Questions

Go to solution
bilclay
Cisco Employee
Cisco Employee

‎03-01-2016 05:57 PM

ISE Gurus,

I have a customer/partner that is interested in deploying a remote access VPN solution using ASA, ISE and Anyconnect. Customer wonders how the solution can support user permissions when the user is part of multiple AD group within the memberOf attribute. Ideal flow would be that the permissions of each group would be appended/cumulative so that the permissions of all groups they are a member of are enabled simultaneously. They have 40-50 groups with unique ACL/permissions on each group.

I now realize that we can use the Multi-Match AuthZ policy to append ACE entries based on membership to multiple groups however the Cisco Partner I'm working with has additional questions listed below.

____________________________________________________________________

Is there any size limitation of cisco av-pair ip:inacl?

How many ACEs could be fit into one radius packet since single Radius attribute can be up to 255 bytes long as explained in CSCum57190?

Could this av-pair be sent using as many RADIUS packets as required to transport the full ACL from ISE to ASA?

What is the merging algorithm where there is overlapping ACEs from different groups? 

Will this cisco av-pair work with COA of ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco?

Is it possible to use ISE and ASA to have flexibility like DAP for accumulating Network Type ACL, Web Type ACL, Port-forwarding List, and URL lists for different LDAP group?

ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco

This is for a timely deal, thanks for the help!!!

1 Accepted Solution

Accepted Solutions

Go to solution
sding2006
Level 1
Level 1

‎03-02-2016 10:46 AM

Thanks for the attention!

Granted, it might have been totally fine to use ISE/ASA with ISE posture assessment if we have luxury to design VPN and AD authorization related schema from scratch utilizing some of the following:

ASA authorization options:

IETF Class attribute

      Map to group policy where filter(ACL), VLAN restriction etc. defined

IETF Filter-ID

      Map to ACL pre-defined on ASA

dACL

      ACL defined on ISE and downloaded with radius to ASA

DAP

      Specifying ACL

Secure Group Tag (SGT)

Cisco AV pair ACL

      Higher priority than dACL by default, could be merged with merge-dacl {before-avpair | after-avpair} on radius server definition

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/aaa-radius.html

But when accumulating different kind of [network|web|port-forwarding|URL] access policies from different group is desired for RA VPN solution, IMHO, there are not many choices at this moment besides:

1) Tie ISE with ASA VPN deployment utilizing ISE posture module, CSCum57190 will probably have to be addressed given that ISE cannot send radius messages > 4k

https://tools.cisco.com/bugsearch/bug/CSCuf90492/?referring_site=bugquickviewredir

2) Decouple ISE from ASA VPN deployment, use DAP/LDAP on ASA talking LDAP directly with identity store, and ASA posture module.  Will ASA posture module/hostscan to be supported in long term?

I am open and eager to learn any new features or old tricks.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-02-2016 05:16 AM

IT looks like someone from the team or customer/partner has already posted the question, can you please verify so we are not duplicating effort? Also please encourage partners and customers to post here

here is the thread that was updated shortly before your post

Re: Can ISE/ASA/Anyconnect support multiple AD group membership?

0 Helpful

Go to solution
bilclay
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎03-02-2016 05:26 AM

The main question was posed an answered however additional follow questions were asked therefore I created a new thread and included assumed answers from old thread. Would really appreciate answers to the additional questions here.

0 Helpful

Go to solution
sding2006
Level 1
Level 1

‎03-02-2016 10:46 AM

Thanks for the attention!

Granted, it might have been totally fine to use ISE/ASA with ISE posture assessment if we have luxury to design VPN and AD authorization related schema from scratch utilizing some of the following:

ASA authorization options:

IETF Class attribute

      Map to group policy where filter(ACL), VLAN restriction etc. defined

IETF Filter-ID

      Map to ACL pre-defined on ASA

dACL

      ACL defined on ISE and downloaded with radius to ASA

DAP

      Specifying ACL

Secure Group Tag (SGT)

Cisco AV pair ACL

      Higher priority than dACL by default, could be merged with merge-dacl {before-avpair | after-avpair} on radius server definition

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/aaa-radius.html

But when accumulating different kind of [network|web|port-forwarding|URL] access policies from different group is desired for RA VPN solution, IMHO, there are not many choices at this moment besides:

1) Tie ISE with ASA VPN deployment utilizing ISE posture module, CSCum57190 will probably have to be addressed given that ISE cannot send radius messages > 4k

https://tools.cisco.com/bugsearch/bug/CSCuf90492/?referring_site=bugquickviewredir

2) Decouple ISE from ASA VPN deployment, use DAP/LDAP on ASA talking LDAP directly with identity store, and ASA posture module.  Will ASA posture module/hostscan to be supported in long term?

I am open and eager to learn any new features or old tricks.

0 Helpful
Customers Also Viewed These Support Documents