Solved: VPN Group Issues with AnyConnect and ISE

Matthew Martin · ‎12-18-2017

Hello All,

ISE: v2.0.0.306

ASA5515 9.4(1) and ASA5510 8.4(7)

I have been having login issues with Cisco AnyConnect VPN, which we use with Cisco ISE.

We have 2 VPN user Groups setup in the ASA/ISE servers and in our Windows Domain Controller. One group is called Employee and the other is called Vendor. For the most part, users don't have any issues logging into the Employee group through AnyConnect. However, I seem to be unable to do so.

My user is in BOTH the Employee and Vendor Groups, but I seem to be only able to login via the Vendor group. I double checked the Windows DC and my user is listed under BOTH groups, so I'm not sure what the issue is.

If I connect to the VPN and select the Employee Group to login, I enter my credentials and the login window disappears for a second and then comes back up as if I failed to login. If I look on the ISE Radius LiveLogs I can see it shows my user getting "5200 Authentication succeeded", along with the "Vendor" authorization policy and "Vendor-Access" auth profile, even though I selected the Employee Group, and it said it failed. The VPN Message History on the AnyConnect client just shows "User credentials entered" and then nothing after that...

If I select the "Vendor" group during VPN login, I get logged in without issue, showing basically the same information in the ISE LiveLogs that I saw during the failed attempts to the Employee group.

Any idea what could be going on here? I have been having this issue for as long as I can remember, and I've just been using the Vendor group as a workaround.

**EDIT** I just tried removing my User from the Windows AD group for Vendors so my only VPN Group in my Member of tab was for Employee. After doing this I was able to log in to Employee. So I tried re-adding Vendor back to my user, and the same issue occurs when I try to login to VPN with the Employee Group, it fails, but Vendor works fine.

Thanks in Advance,

Matt

Rahul Govindan · ‎12-18-2017

Group lock is essentially used to tie (or lock) a group-policy to a tunnel-group. So if a AAA assigns a group-policy to a user after authentication, the user only can complete a successful connection if he/she connected to the ASA using the tunnel-group that is locked to the group-policy.

In your case, the group-lock feature is used so that a vendor user cannot connect to an employee tunnel-group and vice versa. And that seems to be preventing you from connecting to the ASA. Since the ISE has the vendor policy above employee, you get matched there first (because you are also on vendor AD group). Then, when you are assigned the ASA vendor group-policy, the ASA drops you because you first connected to the employee tunnel-group on the ASA.

Group-lock is explained in the config example here:

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html

View solution in original post

Rahul Govindan · ‎12-19-2017

Yes. Moving the Vendor Policy below the employee Policy on ISE should be able to get you into the employee Group on the ASA. But this will affect access when your user account wants to get into the Vendor tunnel-group.

You can add an additional parameter "Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name" as a match condition as I had mentioned in my first post. This way, without changing any order, if you came in on Employee TG on the ASA, only the Employee Policy on ISE can match. Same goes for Vendor. You would not have to worry about order of the policies on ISE.

View solution in original post

Rahul Govindan · ‎12-18-2017

How is the condition set up on ISE? I usually use this condition for VPN setups with Staff and Vendor access.

If Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name= <Employee Tunnel Group> and AD:ExternalGroups = <Employee AD group> then Employee Authz Profile

If Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name= <Vendor Tunnel Group> and AD:ExternalGroups = <Vendor AD group> then Vendor Authz Profile

Looks to me that you may ONLY be checking for AD group membership under the Authz conditions, causing you to be matched under Vendor Authz policy. Adding the VPN tunnel group as an additional condition should help in that case if both attributes are returned.

Matthew Martin · ‎12-18-2017

Hey Rahul, thanks for the reply, much appreciated!

I attached a screenshot of the VPN Policy Sets.

It just seems strange that when I try to login with the Employee group that ISE is saying that I successfully authenticated with the Vendor group, even though I attempted to login with Employee and AnyConnect is telling me the login failed... Bizarre.! And since ISE is not telling me my login attempt failed, its impossible to find out why that login failed, if that makes sense.

From ISE Policy Sets:

VPNusers == Employee Group

vpnconsulting == Vendor Group

So you added the VPN-Tunnel-Group as a condition in your VPN Policy Sets?

Thanks Again,

Matt

Rahul Govindan · ‎12-18-2017

You may have it setup where the ASA has some Group-lock feature configured. Are you assigning an ASA group-policy in your Authz policies on ISE? If so, it could be that the ISE assigns Vendor Group-policy to you after authentication. And if the ASA has a group-lock feature saying that you can only receive Vendor Group-policy if you come in on Vendor Tunnel-group - it would explain the behavior that you are seeing. With respect to ISE, the authentication would look all good. But the ASA could be using the group-lock feature to restrict vendors from accessing employee groups and vice versa. A quick look at your ASA group-policies should confirm this.

Matthew Martin · ‎12-18-2017

I just checked in the ASA's Group Policies for the Employee and Vendor groups. I attached screenshots of those 2 windows.

It looks like the "Lock" feature is enabled, I believe... I'm still kind of unclear on what exactly this feature does?

Thanks again for the reply, very much appreciated!

-Matt

Rahul Govindan · ‎12-18-2017

Group lock is essentially used to tie (or lock) a group-policy to a tunnel-group. So if a AAA assigns a group-policy to a user after authentication, the user only can complete a successful connection if he/she connected to the ASA using the tunnel-group that is locked to the group-policy.

In your case, the group-lock feature is used so that a vendor user cannot connect to an employee tunnel-group and vice versa. And that seems to be preventing you from connecting to the ASA. Since the ISE has the vendor policy above employee, you get matched there first (because you are also on vendor AD group). Then, when you are assigned the ASA vendor group-policy, the ASA drops you because you first connected to the employee tunnel-group on the ASA.

Group-lock is explained in the config example here:

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html

Matthew Martin · ‎12-18-2017

Oh ok, that makes sense...

The reason I'm in both groups is because the Vendor Group does not do Posture checking. And since 99% of the time I use Linux as my default OS, and since my Linux OS does not have Windows Updates/Symantec AV, it would fail posture checking. So to workaround this I added my user to the Vendor group.

So if I were to move the Vendor Policy Set below the Employee Policies in ISE, I would then be able to login with the Employee group. However, I wouldn't be able to get into the Vendor group anymore because it would match me to the Employee group and lock me into that group.

Does that sound correct? Is there anyway around this without removing the Tunnel-Group lock feature?

Thanks Again,
Matt

Rahul Govindan · ‎12-19-2017

Yes. Moving the Vendor Policy below the employee Policy on ISE should be able to get you into the employee Group on the ASA. But this will affect access when your user account wants to get into the Vendor tunnel-group.

You can add an additional parameter "Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name" as a match condition as I had mentioned in my first post. This way, without changing any order, if you came in on Employee TG on the ASA, only the Employee Policy on ISE can match. Same goes for Vendor. You would not have to worry about order of the policies on ISE.

Matthew Martin · ‎12-19-2017

Excellent. I added the attribute you suggested, *i.e. Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name--[146], and set it to Equal "vendor" for the Vendor VPN policy set.

Then, I also added that same attribute check in each of the Unknown, Non-Compliant and Compliant Policy Sets for Employee and set it so it must be Equal to the "employee" Tunnel-Group.

In doing this, a user, like myself, can be in both the Vendor group and the Employee group and still be able to use each one to login to VPN. And, since I didn't remove the Tunnel Group Lock feature from the ASA, the user will also get locked into the group that they selected for that VPN login session.

Thanks again for the help Rahul!

-Matt

Matthew Martin · ‎12-18-2017

One other thing I was just thinking about...

Is the Tunnel-Group lock feature necessary? It almost seems like the Lock feature is redundant when authenticating through ISE which has policies linked to specific AD Groups...

*For example, "jdoe" is an AD user who is in the "vpnconsulting" AD Group only. So if jdoe attempted to login to VPN and selected the "Employee" group. Wouldn't his login attempt fail, since the Policy in ISE says that the user needs to be in the "vpnconsulting" AD group in order to use the Vendor Group Policy?

And vice versa... jsmith is in the "VPNusers" AD group, and they attempt to login with the Vendor group through AnyConnect VPN. Wouldn't that also fail since they're not in the "vpnconsulting" group?

-Matt

Rahul Govindan · ‎12-19-2017

Yes, you are correct. But I think this was designed with ASA local user DB in mind. You can only assign a group-policy for the user on the ASA local DB. So say you have 2 users there and you want to restrict them to their own individual Tunnel-groups, then user specific group-policy attribute and group-lock is the way to go.

Matthew Martin · ‎12-19-2017

Hey Rahul, thanks again for the reply!

Ok, that's what I got when I was reading about the Group Policy/Tunnel Group locking feature, that it applied more towards users configured on the ASA locally.

I guess I'll try removing the lock feature on the ASA and see what results I get.

Thanks again for the explanations, much appreciated!

-Matt

Matthew Martin · ‎12-19-2017

Sorry, I just re-read one of your posts from yesterday about adding the extra condition in ISE to match the "Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name" condtion.

I guess I'll try that first before I attempt to remove the Lock feature. I'll post back with results...

-Matt