Introduction

In this blog we will configure Remote Access VPN on cisco ASA with authentication using Certificate but Authorization using ISE via Active Directory.

Video lab demo: https://youtu.be/UJWUk3ria88

Certificate based authentication in conjunction with Anyconnect VPN, the certificate authentication process terminates on the ASA. Since the ASA terminates the authentication process without passing the certificate to ISE, So when the request comes to ISE it tries to process a full authentication.  There is no password in the TCP packet, thus authentication fails.

Thus, we need to bypass Authentication on the ISE for such communication.

TOPOLOGY

Below is the pre-Build configuration for ASA.

•Task 1: Certificate Based Authentication

Step 1 of 3: Install the Root CA certificate into ASA

Step 2 of 3 – Setup Tunnel Group

!

tunnel-group sales.w365.vpnet.com type remote-access
tunnel-group sales.w365.vpnet.com general-attributes
address-pool sales
default-group-policy GroupPolicy_sales.w365.vpnet.com
tunnel-group sales.w365.vpnet.com webvpn-attributes
authentication certificate
group-alias sales.w365.vpnet.com enable

!

Step 3 of 3 – Setup Tunnel Group

!

group-policy GroupPolicy_sales.w365.vpnet.com internal
group-policy GroupPolicy_sales.w365.vpnet.com attributes
wins-server none
dns-server value 192.168.111.5
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
group-lock value sales.w365.vpnet.com
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value cisco.com
split-dns value cisco.com
address-pools value sales
webvpn
anyconnect keep-installer installed
anyconnect profiles value sales.w365.vpnet.com_client_profile type user
always-on-vpn profile-setting

!

Testing

•User Attempt to connect

•Certification Based Authentication is performed.

•User is successfully connected.

•Task 2: Setup Authorization

•Task 2: Part 1- Setup ASA for Authorization

Part 1: Step 1 of 2 -Setup ASA for Authorization

•Following extra configuration must be added into ASA

!

aaa-server ISE protocol radius

 interim-accounting-update

aaa-server ISE (management) host 192.168.111.6

 key *****

!

Part 1: Step 2 of 2 -Setup ASA for Authorization

!

tunnel-group sales.w365.vpnet.com type remote-access

tunnel-group sales.w365.vpnet.com general-attributes

 address-pool sales

 authorization-server-group ISE

 default-group-policy GroupPolicy_sales.w365.vpnet.com

 authorization-required

tunnel-group sales.w365.vpnet.com webvpn-attributes

 authentication certificate

 group-alias sales.w365.vpnet.com enable

!

•Task 2: Part 2- Setup ISE for Authorization

Part 2: ISE: Step 1 of 6

Part 2: ISE: Step 2 of 6

•Perform Active Directory Integration and fetch the AD Groups.

Part 2: ISE: Step 3 of 6

•Create right Authorization Profile

Part 2: ISE: Step 4 of 6

•Create Access Policy

Part 2: ISE: Step 5 of 6

•Authentication Policy

Part 2: ISE: Step 6 of 6

•Authorization Policy

Packet Capture Analysis

Packet 1: 

Packet 2:

Packet 3:

Packet 4: