Anyconnect - single tunnel with multiple group policies ISE

Craig Pitkin · ‎01-07-2022

Hi All

We are trying to achieve a solution where by using a single tunnel group will authenticate with cisco ISE and determine by the use of the ISE policies which of 2 group policies a user should be in .

This looks to be working correctly, when a user logs in they are placed in the correct group-policy but the client doesn’t seem to pick up any of the attributes from the group policy or pull down the anyconnect profile associated to the group-policy

Although the logs indicate its all correct . .

Summary below of how we have it configured

ASA config

Tunnel group

tunnel-group AGS_CORP type remote-access

tunnel-group AGS_CORP general-attributes

address-pool AGS_CORP

authentication-server-group AGS_RADIUS

authorization-server-group AGS_RADIUS

default-group-policy GroupPolicy_AGS_CORP_DENY

strip-realm

authorization-required

tunnel-group AGS_CORP webvpn-attributes

authentication certificate

pre-fill-username client hide

group-alias AGS_CORP enable

tunnel-group AGS_CORP ipsec-attributes

peer-id-validate cert

chain

Below is associated to the above tunnel group

group-policy GroupPolicy_AGS_CORP_DENY internal

group-policy GroupPolicy_AGS_CORP_DENY attributes

dns-server value 10.213.100.11 10.213.100.12

vpn-simultaneous-logins 1

vpn-tunnel-protocol ikev2 ssl-client

Group policy 1.

group-policy GroupPolicy_AGS_CORP internal

group-policy GroupPolicy_AGS_CORP attributes

wins-server none

dns-server value 10.213.100.11 10.213.100.12

vpn-filter value AGS_VPN_SEGREGATION

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value AGS_SPLIT1

default-domain value core.agsairports.co.uk

split-tunnel-all-dns enable

anyconnect-custom dynamic-split-exclude-domains value Office365_SplitTun

webvpn

anyconnect modules value vpngina

anyconnect profiles value ags-ac-profile type user

always-on-vpn profile-setting

Group Policy 2.

group-policy GroupPolicy_AGS_CORP_UMBRELLA internal

group-policy GroupPolicy_AGS_CORP_UMBRELLA attributes

wins-server none

dns-server value 10.213.100.11 10.213.100.12

vpn-filter value AGS_VPN_SEGREGATION

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AGS_CORP_VPN_SPLIT_UMBRELLA

default-domain value core.agsairports.co.uk

webvpn

anyconnect modules value dart,vpngina,umbrella

anyconnect profiles value ags-ac-umb-profile type user

anyconnect profiles value ags-ac-umb-roaming-profile type umbrella

always-on-vpn profile-setting

WEBVPN CONFIG ( NOTE WE ARE USING CERTIFCATE GROUP MAPPING TO AGS_CORP TUNNEL GROUP)

webvpn

enable outside

anyconnect-custom-attr dynamic-split-exclude-domains description Office365

anyconnect-custom-attr dynamic-split-include-domains description OneDrive

http-headers

hsts-server

enable

max-age 31536000

include-sub-domains

no preload

hsts-client

enable

x-content-type-options

x-xss-protection

content-security-policy

anyconnect image disk0:/anyconnect-win-4.10.01075-webdeploy-k9.pkg 1

anyconnect profiles ags-ac-profile disk0:/ags-ac-profile.xml

anyconnect profiles ags-ac-umb-profile disk0:/ags-ac-umb-profile.xml

anyconnect profiles ags-ac-umb-roaming-profile disk0:/OrgInfo.json

anyconnect enable

tunnel-group-list enable

cache

disable

certificate-group-map AnyConnect_Cert 10 AGS_CORP

error-recovery disable

ISE POLICES

Log attached

Cheers

Rob Ingram · ‎01-07-2022

@Craig Pitkin It's been a while since I last checked, but I don't think you need to define the authorisation server, as if you send authentication to ISE it will process authorisation post authentication anyway. Not sure removing authorisation server will resolve the issue though.

The ASA logs mention DAP, do you have any DAP policies defined?

When you run "show vpn-sessiondb anyconnect" what GP does it assigned to the user?

What ASA software version are you running?

stsargen · ‎01-07-2022

Is it possible you are hitting https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa08262 ?