Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
0
Helpful
2
Replies

Anyconnect - single tunnel with multiple group policies ISE

Craig Pitkin
Level 1
Level 1

‎01-07-2022 09:43 AM

 

Hi All 

 

We are trying to achieve a solution where by using a single tunnel group will authenticate with cisco ISE and determine by the use of the ISE policies which of 2 group policies a user should be in .

 

This looks to be working correctly, when a user logs in they are placed in the correct group-policy  but the client doesn’t seem to pick up any of the attributes from the group policy or pull down the anyconnect profile associated to the group-policy

 

Although the logs indicate its all correct . .

 

 

Summary below of how we have it configured

 

 

ASA config

 

Tunnel group

 

tunnel-group AGS_CORP type remote-access

tunnel-group AGS_CORP general-attributes

address-pool AGS_CORP

authentication-server-group AGS_RADIUS

authorization-server-group AGS_RADIUS

default-group-policy GroupPolicy_AGS_CORP_DENY

strip-realm

authorization-required

tunnel-group AGS_CORP webvpn-attributes

authentication certificate

pre-fill-username client hide

group-alias AGS_CORP enable

tunnel-group AGS_CORP ipsec-attributes

peer-id-validate cert

chain

 

Below is associated to the above tunnel group

 

group-policy GroupPolicy_AGS_CORP_DENY internal

group-policy GroupPolicy_AGS_CORP_DENY attributes

dns-server value 10.213.100.11 10.213.100.12

vpn-simultaneous-logins 1

vpn-tunnel-protocol ikev2 ssl-client

 

 

Group policy 1.

 

group-policy GroupPolicy_AGS_CORP internal

group-policy GroupPolicy_AGS_CORP attributes

wins-server none

dns-server value 10.213.100.11 10.213.100.12

vpn-filter value AGS_VPN_SEGREGATION

vpn-tunnel-protocol ikev2 ssl-client

 split-tunnel-policy excludespecified

split-tunnel-network-list value AGS_SPLIT1

default-domain value core.agsairports.co.uk

split-tunnel-all-dns enable

anyconnect-custom dynamic-split-exclude-domains value Office365_SplitTun

webvpn

  anyconnect modules value vpngina

  anyconnect profiles value ags-ac-profile type user

  always-on-vpn profile-setting

 

Group Policy 2.

 

group-policy GroupPolicy_AGS_CORP_UMBRELLA internal

group-policy GroupPolicy_AGS_CORP_UMBRELLA attributes

wins-server none

dns-server value 10.213.100.11 10.213.100.12

vpn-filter value AGS_VPN_SEGREGATION

vpn-tunnel-protocol ikev2 ssl-client

 split-tunnel-policy tunnelspecified

split-tunnel-network-list value AGS_CORP_VPN_SPLIT_UMBRELLA

default-domain value core.agsairports.co.uk

webvpn

  anyconnect modules value dart,vpngina,umbrella

  anyconnect profiles value ags-ac-umb-profile type user

  anyconnect profiles value ags-ac-umb-roaming-profile type umbrella

  always-on-vpn profile-setting

 

 

WEBVPN CONFIG  ( NOTE WE ARE USING CERTIFCATE GROUP MAPPING TO AGS_CORP TUNNEL GROUP)

 

webvpn

enable outside

anyconnect-custom-attr dynamic-split-exclude-domains description Office365

anyconnect-custom-attr dynamic-split-include-domains description OneDrive

http-headers

  hsts-server

   enable

   max-age 31536000

   include-sub-domains

   no preload

  hsts-client

   enable

  x-content-type-options

  x-xss-protection

  content-security-policy

anyconnect image disk0:/anyconnect-win-4.10.01075-webdeploy-k9.pkg 1

anyconnect profiles ags-ac-profile disk0:/ags-ac-profile.xml

anyconnect profiles ags-ac-umb-profile disk0:/ags-ac-umb-profile.xml

anyconnect profiles ags-ac-umb-roaming-profile disk0:/OrgInfo.json

anyconnect enable

tunnel-group-list enable

cache

  disable

certificate-group-map AnyConnect_Cert 10 AGS_CORP

error-recovery disable

 

 

ISE POLICES 

 

CraigPitkin_1-1641576102398.png

 

 

CraigPitkin_0-1641576072400.png

 

CraigPitkin_2-1641576134540.png

Log attached 

Cheers

 

 
 

 

 

 

Labels:
Preview file
41 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎01-07-2022 10:06 AM

@Craig Pitkin It's been a while since I last checked, but I don't think you need to define the authorisation server, as if you send authentication to ISE it will process authorisation post authentication anyway. Not sure removing authorisation server will resolve the issue though.

 

The ASA logs mention DAP, do you have any DAP policies defined?

 

When you run "show vpn-sessiondb anyconnect" what GP does it assigned to the user?

 

What ASA software version are you running?

 

0 Helpful

stsargen
Cisco Employee
Cisco Employee

‎01-07-2022 10:22 AM

Is it possible you are hitting https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa08262 ?

0 Helpful
Customers Also Viewed These Support Documents