Solved: Re: ASA VPN policy based on AD groups

manvik · ‎03-07-2025

I am using Anyconnect VPN in ASA. ASA is done radius AAA to ISE and then to AD.

how can ASA assign different group policy in ASA based on the AD user group.

Intention is to assign different IP pool in ASA based on the AD user group (user connecting via anyconnect VPN)

Rob Ingram · ‎03-07-2025

@manvik from ISE create an authorisation profile that references the group policy.

In the example above, GP-1 must exist on the ASA.

group-policy GP-1 attributes
 address-pools value VPN_POOL

You then create an authorisation rule in the policy set that matches on the AD group and returns the authorisation profile that assigns the group policy.

View solution in original post

Rob Ingram · ‎03-07-2025

@manvik from ISE create an authorisation profile that references the group policy.

In the example above, GP-1 must exist on the ASA.

group-policy GP-1 attributes
 address-pools value VPN_POOL

You then create an authorisation rule in the policy set that matches on the AD group and returns the authorisation profile that assigns the group policy.

Rob Ingram · ‎03-07-2025

@manvik alternatively you could just assign the IP address pool instead of the group-policy.

The address pool "ISE_POOL" must exist (case sensitive) on the ASA.

manvik · ‎03-08-2025

Thank you, i had to finally go with below in authorization profile;

Spoiler

Access Type = ACCESS_ACCEPT
Class = ou=gp-it-vpn
CVPN3000/ASA/PIX7x-Address-Pools = it_vpn
cisco-av-pair = group-policy=gp-it-vpn

Access Type = ACCESS_ACCEPTClass = ou=gp-it-vpnCVPN3000/ASA/PIX7x-Address-Pools = it_vpncisco-av-pair = group-policy=gp-it-vpn

there were different tunnel group/connection profiles in ASA. When an user logs in to anyconnect ASA was assigning it's default connection profile and Group policy. This caused user not found in local error.
Finally changed default group policy AAA server to ISE, then added above in ISE authorization profiles.

ASA log shows

Spoiler

AAA group policy for user vpn_it is being set to gp-it-vpn
AAA retrieved default group policy (DfltGrpPolicy) for user = vpn_it

AAA group policy for user vpn_it is being set to gp-it-vpnAAA retrieved default group policy (DfltGrpPolicy) for user = vpn_it

the group policy received from ISE was being overriden in ASA. Any mechanism to stop this.

In anyconnect there's no drop-down or profile selection available, as there are too many and simialr tunnel groups it makes end-user confusing to select the profile from drop-down.

Rob Ingram · ‎03-08-2025

@manvik From ISE you only need to assign the group-policy (Class = ou=gp-it-vpn) or the address-pool (CVPN3000/ASA/PIX7x-Address-Pools = it_vpn), not both at the sametime (unless the group-policy does not specify the address pool). They are different methods to assign the address pool.

please run show vpn-sessiondb anyconnect after the user has been authenticated and received the new settings, this will confirm what group-policy is actually used by the session.

If you still have a problem, please provide the full output of debug radius from when the user is authenticated to the network.

manvik · ‎03-10-2025

checked vpn-sessiondb. Group policy assigned is correct, but the tunnel group assigned is the default (DefaultWEBVPNGroup). Attached screenshot.

Rob Ingram · ‎03-10-2025

@manvik you cannot change the tunnel-group by RADIUS, you change the group-policy (as per the instructions above) and ensure the address pool you wish to assign is referenced in the group-policy.

manvik · ‎03-10-2025

ya. that makes sense