Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3789
Views
10
Helpful
4
Replies

ASA 5525X Anyconnect configuration with ISE 2.1

Go to solution
Jonathan Harrison
Level 1
Level 1

‎08-17-2016 02:46 PM - edited ‎02-21-2020 08:56 PM

I have a new ISE 2.1 deployment that is only being used for device management at the moment.  The intention is that it will be used as a radius server for our VPN authentications.

The 5525x is a brand new ASA running 9.4 code.  I want to configure the VPN policy on the ASA so that each user is assigned a DAP based on their department.

I already have the department designation for the user accounts assigned in AD via group membership.  I don't know how to get ISE to pass along the group membership to the ASA so that it can associate the user based on that group membership to the correct DAP.

I have been unsuccessful in determining how this is supposed to work.  Thanks for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-18-2016 08:30 PM

harrijs01  ,

Normally we Authenticate and Authorize users and then push dACLs or authorize connection profiles etc. from ISE based on conditions like Posture check results or details of the user identity (such as AD or other external identity store group membership).

There are a couple of good guides for doing so including detailed examples:

https://communities.cisco.com/docs/DOC-68158

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html#anc16

While these primarily focus on the Posture use case, they can be adapted to add other uses. For instance, the condition check in ISE can be the result of not only a Posture check also membership in a given AD group or another if you make it a compound condition.

I don't believe we can specify to the ASA to call out a given DAP policy as the Hostscan module cannot be used the same time as the ISE Posture module. However, you should be able to accomplish just about everything that you used to rely on DAP for with ISE Posture Module of AnyConnect (assuming you have AnyConnect 4.x Apex licenses). 

If you want to stick with the ASA DAP model, you could forgo using ISE Posture module and policies and instead create an Authorization Profile (result) to send the ASA a RADIUS A-V pair based on a match (in ISE Authorization policy) with the AD group. There is a "Cisco-VPN-3000" A-V known as "PIX7x-Member-Of" that can be used in ASA dynamic access policies. You can see it (and all other A-V pairs supported buy ISE) here:

https://communities.cisco.com/docs/DOC-67894

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-18-2016 08:30 PM

harrijs01  ,

Normally we Authenticate and Authorize users and then push dACLs or authorize connection profiles etc. from ISE based on conditions like Posture check results or details of the user identity (such as AD or other external identity store group membership).

There are a couple of good guides for doing so including detailed examples:

https://communities.cisco.com/docs/DOC-68158

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118714-configure-ise-00.html#anc16

While these primarily focus on the Posture use case, they can be adapted to add other uses. For instance, the condition check in ISE can be the result of not only a Posture check also membership in a given AD group or another if you make it a compound condition.

I don't believe we can specify to the ASA to call out a given DAP policy as the Hostscan module cannot be used the same time as the ISE Posture module. However, you should be able to accomplish just about everything that you used to rely on DAP for with ISE Posture Module of AnyConnect (assuming you have AnyConnect 4.x Apex licenses). 

If you want to stick with the ASA DAP model, you could forgo using ISE Posture module and policies and instead create an Authorization Profile (result) to send the ASA a RADIUS A-V pair based on a match (in ISE Authorization policy) with the AD group. There is a "Cisco-VPN-3000" A-V known as "PIX7x-Member-Of" that can be used in ASA dynamic access policies. You can see it (and all other A-V pairs supported buy ISE) here:

https://communities.cisco.com/docs/DOC-67894

Go to solution
Jonathan Harrison
Level 1
Level 1
In response to Marvin Rhoads

‎08-30-2016 03:33 PM

Marvin,

Thanks for your response.  I had some of my acronyms mixed up.  We would like to be able to authenticate users via ISE and then authorize users by pushing dACLs.  I would also like to be able to auto-select the tunnel group (connection profile) for the user based on an AD group membership value.

Logically in my mind I have the process mapped as follows:

ASA passes authC to ISE

ISE authZ response passes class selection back to ASA

class selection matches a group policy which sets ACL

Another question I have is about the configuration procedure for setting the Authentication method for a tunnel-group to both AAA and Certificate.  I can choose the Both radio button but can't figure out where I configure the certificate definition that the ASA and Anyconnect should use to determine that this machine is a corporate asset.  This would restrict only connections from a corporate supplied machine to be associated to this tunnel-group.  Could you provide any additional details on this?  Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jonathan Harrison

‎08-30-2016 04:28 PM

You can authenticate the machine or user (or both) using a certificate. there are some details on that here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID500

...including mention of choosing which attribute in the certificate to check.

You can choose an authorization profile to check a user's AD group membership and then push a dACL to the ASA (or alternatively assign a group policy, or both).

This is documented in the following article (talks about the posture use case but still applicable for the concept of asking ISE to check for something and then tell the ASA how to treat the connection based on what ISE finds out about the user - be it posture, group membership etc.):

https://communities.cisco.com/docs/DOC-68158

Go to solution
Maurice Ball
Level 3
Level 3
In response to Marvin Rhoads

‎09-22-2020 09:10 AM

Is it possible to use the posture assessment to determine if the connecting device is using a Android OS?

0 Helpful
Customers Also Viewed These Support Documents