Solved: Cisco ISE and Remote Access VPN question

Will Kerr · ‎01-14-2016

Company Acme wants to use ISE to authenticate against their VPN. They have different connection profiles for different access. They don’t use the dropdown, they use the URL.

Acme.com/pci
Acme.com/it
Acmine.com/users
Acme.com/facilities

We have three test users

User1:

Memberof: pci,it, users

User2:

Memberof: facilities, users

User3:

Memberof, users, it

I don’t think we can break out connection profiles in ISE, so how would we make sure this work?

if User3 connects to the acme.com/it how do we make sure he gets the IT access rather than user?

If User2 connects to acme.com/user how do we make sure he gets user privilege rather than facilities?

In the past I've used NPS and I haven't had the issue of overlapping groups like this.

Thanks!

nspasov · ‎01-15-2016

Will, two things come to mind here:

1. You can override the "tunnel group" the VPN user lands on by using the "class = " attribute in ISE under the authorization profile that you return. It is called "ASA VPN" under the "common tasks" That way if a user connects to the wrong tunnel group he/she would be placed in the correct group after authorization takes place. Then you will control the user access with vpn filters

2. Utilize DACLs. With DACLs the customer can utilize a single tunnel group for all of its VPN users and just limit access via DACLs. I like this approach better since vpn-filters are local to each ASA so if the customer has 10 ASAs then they would have to go an update 10 ASAs manually (Unless they have CSM)

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎01-22-2016

Sorry for the delayed reply Will! Yes, you are correct that once a rule is matched the process will stop and the associated authorization policy will be selected.

One way you could resolve your problems is to create specific rules or even specific policy sets for each individual tunnel group. You can accomplish this by utilizing the following attribute:

CVPN3000/ASA/PIX7x-Tunnel-Group-Name = value

So your rule could be something like this:

if          
     CVPN3000/ASA/PIX7x-Tunnel-Group-Name = HVAC
and
     external identity group = HVAC
Then
     HVAC_Access_Only

Question for you: Why does User A belong to PCI and HR groups of he/she should only have access to HVAC? :)

Thank you for rating helpful posts!

View solution in original post

mrsethi · ‎01-14-2016

Hi,

As per your description you wish that each group of users should get different level of network access.

>>As per the description, i see that you are using a separate tunnel-group for each group.

>>Each tunnel-group has a different group-url which means the user will directly land on the specific tunnel group.

>>There are different ways to provide different level of network access:

1- You can configure a separate group-policy for each tunnel-group and apply separate split-tunnel access-list(standard acl) to each group-policy.

For example:

Consider IT will have access to only 10.10.10.0/24 and User will have access to only 10.10.20.0/24

For IT:
access-list split-it permit 10.10.10.0 255.255.255.0

group-policy IT-pol internal
group-policy IT-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit

tunnel-group IT-grp type remote-access-list
tunnel-group IT-grp general-attributes
default-group-policy IT-pol

For User:
access-list split-user permit 10.10.20.0 255.255.255.0
group-policy User-pol internal
group-policy User-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit

tunnel-group User-grp type remote-access-list
tunnel-group User-grp general-attributes
default-group-policy User-pol

As per the above when users will connect to different tunnel-group they will different group-policy and will have different ACL specified.

let me know if you have any more queries.

Regards,

Mrutunjay Sethi

Will Kerr · ‎01-15-2016

This makes a lot of sense, in the past I've used NPS to push attribute 25 to apply a Group-Policy.

My concern is around ISE where you can't make an AUTHZ decision when the user resides in multiple groups.

I'm having trouble articulating this, but as you see the users above are in all sorts of differnet groups, so how do you make sure they get the right AuthZ profile based on what Tunnel-Group they connect to?

Example ISE Policy:

if user is member of AD-1/PCI then push GroupPolicy PCI

if user is member of AD-1/IT then push GroupPolicy IT

if user is member of AD-1/User then push GroupPolicy User

The group Policy push would obviously be attribute 25.

Now if User1 connects to the User tunnel-group, he would still match the PCI AuthZ profile right? How do I get around that?

adam kalabadzi · ‎01-15-2016

Hi..

I think this link has same question as yours https://supportforums.cisco.com/discussion/12129661/ise-assign-group-policies-asa

If you use ASA, you have to

1. create tunnel-groups;

2. create group-policies,

3. assign each tunnel-group to a group-policy.

4. create authz profiles on ISE, and map this authz profile to your group policy (visit that link, to see how to do that)

5. create authz policies, and assign your authz profiles to it.

Cheers !

ak

nspasov · ‎01-15-2016

Will, two things come to mind here:

1. You can override the "tunnel group" the VPN user lands on by using the "class = " attribute in ISE under the authorization profile that you return. It is called "ASA VPN" under the "common tasks" That way if a user connects to the wrong tunnel group he/she would be placed in the correct group after authorization takes place. Then you will control the user access with vpn filters

2. Utilize DACLs. With DACLs the customer can utilize a single tunnel group for all of its VPN users and just limit access via DACLs. I like this approach better since vpn-filters are local to each ASA so if the customer has 10 ASAs then they would have to go an update 10 ASAs manually (Unless they have CSM)

I hope this helps!

Thank you for rating helpful posts!

Will Kerr · ‎01-16-2016

So here is where my confusion comes in.

Company has tons of users all in tons of different groups. They have User A. UserA is PCI , HR, and HVAC.

If he connects to the HVAC how do we make sure he gets access to just HVAC?

If we use a tunnel-group override on ISE he will hit the first match, and depending on how the AuthZ rules are ordered he could match the PCI rule, since he is a member of that to...

I might not be articulating this right, but does that make sense?

nspasov · ‎01-22-2016

Sorry for the delayed reply Will! Yes, you are correct that once a rule is matched the process will stop and the associated authorization policy will be selected.

One way you could resolve your problems is to create specific rules or even specific policy sets for each individual tunnel group. You can accomplish this by utilizing the following attribute:

CVPN3000/ASA/PIX7x-Tunnel-Group-Name = value

So your rule could be something like this:

if          
     CVPN3000/ASA/PIX7x-Tunnel-Group-Name = HVAC
and
     external identity group = HVAC
Then
     HVAC_Access_Only

Question for you: Why does User A belong to PCI and HR groups of he/she should only have access to HVAC? :)

Thank you for rating helpful posts!

Netplace Support · ‎09-03-2019

Hi Will Kerr,
It would be great help if you let me know what makes you solve your problem. I'm also struck in this.