03-01-2016 05:57 PM
ISE Gurus,
I have a customer/partner that is interested in deploying a remote access VPN solution using ASA, ISE and Anyconnect. Customer wonders how the solution can support user permissions when the user is part of multiple AD group within the memberOf attribute. Ideal flow would be that the permissions of each group would be appended/cumulative so that the permissions of all groups they are a member of are enabled simultaneously. They have 40-50 groups with unique ACL/permissions on each group.
I now realize that we can use the Multi-Match AuthZ policy to append ACE entries based on membership to multiple groups however the Cisco Partner I'm working with has additional questions listed below.
____________________________________________________________________
Is there any size limitation of cisco av-pair ip:inacl?
How many ACEs could be fit into one radius packet since single Radius attribute can be up to 255 bytes long as explained in CSCum57190?
Could this av-pair be sent using as many RADIUS packets as required to transport the full ACL from ISE to ASA?
What is the merging algorithm where there is overlapping ACEs from different groups?
Will this cisco av-pair work with COA of ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco?
Is it possible to use ISE and ASA to have flexibility like DAP for accumulating Network Type ACL, Web Type ACL, Port-forwarding List, and URL lists for different LDAP group?
ASA 8.x Dynamic Access Policies (DAP) Deployment Guide - Cisco
This is for a timely deal, thanks for the help!!!
Solved! Go to Solution.
03-02-2016 10:46 AM
Thanks for the attention!
Granted, it might have been totally fine to use ISE/ASA with ISE posture assessment if we have luxury to design VPN and AD authorization related schema from scratch utilizing some of the following:
ASA authorization options:
IETF Class attribute
Map to group policy where filter(ACL), VLAN restriction etc. defined
IETF Filter-ID
Map to ACL pre-defined on ASA
dACL
ACL defined on ISE and downloaded with radius to ASA
DAP
Specifying ACL
Secure Group Tag (SGT)
Cisco AV pair ACL
Higher priority than dACL by default, could be merged with merge-dacl {before-avpair | after-avpair} on radius server definition
But when accumulating different kind of [network|web|port-forwarding|URL] access policies from different group is desired for RA VPN solution, IMHO, there are not many choices at this moment besides:
1) Tie ISE with ASA VPN deployment utilizing ISE posture module, CSCum57190 will probably have to be addressed given that ISE cannot send radius messages > 4k
https://tools.cisco.com/bugsearch/bug/CSCuf90492/?referring_site=bugquickviewredir
2) Decouple ISE from ASA VPN deployment, use DAP/LDAP on ASA talking LDAP directly with identity store, and ASA posture module. Will ASA posture module/hostscan to be supported in long term?
I am open and eager to learn any new features or old tricks.
03-02-2016 05:16 AM
IT looks like someone from the team or customer/partner has already posted the question, can you please verify so we are not duplicating effort? Also please encourage partners and customers to post here
here is the thread that was updated shortly before your post
Re: Can ISE/ASA/Anyconnect support multiple AD group membership?
03-02-2016 05:26 AM
The main question was posed an answered however additional follow questions were asked therefore I created a new thread and included assumed answers from old thread. Would really appreciate answers to the additional questions here.
03-02-2016 10:46 AM
Thanks for the attention!
Granted, it might have been totally fine to use ISE/ASA with ISE posture assessment if we have luxury to design VPN and AD authorization related schema from scratch utilizing some of the following:
ASA authorization options:
IETF Class attribute
Map to group policy where filter(ACL), VLAN restriction etc. defined
IETF Filter-ID
Map to ACL pre-defined on ASA
dACL
ACL defined on ISE and downloaded with radius to ASA
DAP
Specifying ACL
Secure Group Tag (SGT)
Cisco AV pair ACL
Higher priority than dACL by default, could be merged with merge-dacl {before-avpair | after-avpair} on radius server definition
But when accumulating different kind of [network|web|port-forwarding|URL] access policies from different group is desired for RA VPN solution, IMHO, there are not many choices at this moment besides:
1) Tie ISE with ASA VPN deployment utilizing ISE posture module, CSCum57190 will probably have to be addressed given that ISE cannot send radius messages > 4k
https://tools.cisco.com/bugsearch/bug/CSCuf90492/?referring_site=bugquickviewredir
2) Decouple ISE from ASA VPN deployment, use DAP/LDAP on ASA talking LDAP directly with identity store, and ASA posture module. Will ASA posture module/hostscan to be supported in long term?
I am open and eager to learn any new features or old tricks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide