RA-VPN not revievin/enforcing the right Group-Policy send from ISE

sd-wan_engineer · ‎11-06-2024

Issue:
After software upgrade on the FW the VPN session not recieving the right Group-Policy from ISE.
Even when ISE gets all the information of the user from AD (no change here), the authorization policy that was matching before is not matching anymore.

We have 4 lokations all with FTD-FMC and using certificate and radius authentication.
There is one location that have upgrade the firewalls and manager to 7.4.2.1-30 and now the VPN is not working well.
We are having issues when trying to assign a different group policy to a user where the group policy contains a different client profile (XML) to the one used to connect in the first instance.

We think there is a bug in the new software that is preventing the firewall to overwrite the VPN session.
Firewall:
Firepower 2110 with FTD 7.4.2.1
FMC 7.4.2.1.30

Aref Alsouqi · ‎11-06-2024

Does the authorization request make it to ISE? if so, what do you see on ISE logs?

sd-wan_engineer · ‎11-06-2024

It does, it authorize and even get the MFA promt for the code on the client side.

On the RADIUS-LIVE-LOGS it hits the only authorization rule i have with MFA, but it assign the wrong authorization policy. If i check the details of the session I see that ISE has pulled all the information regarding the user (AD groups, Device IP Address, Tunnel-Group-Name used for the VPN connection... etc).

Before the firewall upgrade all this parameters ware taken into account to make the session match with a particular Authorization-Policy that will apply and Authorization-Profile that contains a overwrite of the Group-Policy of the VPN session. Now it just hit Authorization-Rules that dont send a new Group-Policy to the firewall.

Not sure is this new software version has just make the firewall not to recieve the CoA from ISE. The ISE Authorization-Profile send the results:
Access Type = ACCESS_ACCEPT
Class = Management-External

Aref Alsouqi · ‎11-07-2024

Interesting. With regard to the CoA config on the ASA you can check if that command "dynamic-authorization" is still applied to the AAA server config, if so, I don't think the issue would be with CoA. On the other side you mentioned that now on ISE this traffic flow doesn't match the right authorization profile! could you please share the screenshot of the session log taken from ISE and also the two authorization profiles (the one that is currently hitting and the one that should be hit) for review?

MHM Cisco World · ‎11-07-2024

Share

Show vpn sessiondb anyconnect

Debug radius

Send it as PM

Thanks

MHM

sd-wan_engineer · ‎11-07-2024

The Show vpn sessiondb anyconnect just shows when the user is authenticated and connected. When the user is connected nothing looks weird, it just says connection profille and group policy. I have a brief explanaition of the issues:

The connection profile i use for external management connection is called "Management VPN", there are two scenarios that involve just the firewall and not the radius server.

Scenario-1: Is with Connection profile called "Management -VPN" and Group Policy called "DenyAccessDefault".
When i connect with this configuration (Authorization =cert+radius) I write my credentials and get MFA promt, after i write the MFA token it failed to connect with the following log from secure client "User credentials entered".
In the dart files it appears:
"Return success from VerifyServerCertificate"
"Authentication is not token based (OTP)."
"Processing user response."
"ConnectMgr::connectViaAgent AgentConnectRequestSend"
"Description : Message type prompt sent to the user:"
"Processing user response."
"ConnectMgr::connectViaAgent AgentConnectRequestSend"
"Description : The following error message was received from the secure gateway:"
"Login failed"

Scenario-2: Is with Connection profile called "Management -VPN" and Group Policy called "Management-External"
This time i write my credential same as before and and i get in (wrong authorization profile anyways). If i check on ISE i get the most simplest Authorization-Profile result that does not send a Group Policy overwrite to the firewall, but a "Access Permit" instead.

ISE policies:
- The one that is on top of the list and should match:

-The one that is matching:

Aref Alsouqi · ‎11-07-2024

If the "Users" rule is the one that is matching it would suggest that ISE does see the user coming through that session as part of the "Domain Users". Would you mind to share ISE sanitized RADIUS log for review? if not, could you please do this sanity check and see what AD group and user are showing up on ISE log?