Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
1
Replies

ASA using ISE for Anyconnect Authentication

griffijo
Level 1
Level 1

‎03-01-2018 09:38 AM - edited ‎03-12-2019 05:04 AM

I have an ASA-5585X (9.4.4.5) that I'm using to terminate Anyconnect VPN connections, using ISE 2.0 for authentication/authorization.  We would like to assign group-policy based on AD group memberships.  I have everything configured and everything seems to be working with one caveat.  When I assign split-tunnel-policy/split-tunnel-list via the group-policy on the ASA, it does not seem to work; the client has no restrictions on the network even though they are assigned the correct group-policy.  I've tried using ISE to push a DACL, and that works, but there is no Local LAN access for the client.  I've also used the ACL (filter-id) in ISE to assign a locally configured ACL on the ASA.  This also works, but again there is no split-tunnel. I have multiple group-policies, and they are all assigned appropriately via ISE, but I can't seem to get the split-tunnel working. 

 

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.2.04039-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2
anyconnect profiles XX1_client_profile disk0:/XX1_client_profile.xml
anyconnect profiles XX2_client_profile disk0:/XX2_client_profile.xml
anyconnect profiles XX3_client_profile disk0:/XX3_client_profile.xml
anyconnect profiles edumet_client_profile disk0:/edumet_client_profile.xml
anyconnect enable
cache
disable

!

group-policy GroupPolicy_edumet internal
group-policy GroupPolicy_edumet attributes
dns-server value 192.168.200.51 192.168.200.52
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_EDUMET  (I've tried this as well as assigning the same ACL via ISE)
default-domain value eboe.edu
address-pools value VPN_POOL
webvpn
anyconnect profiles value edumet_client_profile type user

!

access-list VPN_EDUMET extended permit tcp any 192.168.102.0 255.255.255.0

access-list VPN_EDUMET extended permit tcp any 192.168.104.0 255.255.255.0
access-list VPN_EDUMET extended permit tcp any host 10.194.101.11

!

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-01-2018 12:28 PM

Split ACL is not like a filter, so you should ideally be only worrying the subnets and not protocols (eg. tcp) in the ACL's. I would put a standard ACL like below for Split ACL:

 

access-list VPN_EDUMET standard permit 192.168.102.0 255.255.255.0
access-list VPN_EDUMET  standard permit 192.168.104.0 255.255.255.0

 

Port based rules are more meant for a VPN filter, to restrict what traffic a user can send. You can also add that to the group-policy like below:

 

 

access-list VPN_EDUMET_filter extended permit tcp any 192.168.102.0 255.255.255.0
access-list VPN_EDUMET_filter  extended permit tcp any 192.168.104.0 255.255.255.0
access-list VPN_EDUMET_filter extended permit tcp any host 10.194.101.11

group-policy GroupPolicy_edumet attributes
vpn-filter value VPN_EDUMET_filter 

 

 

0 Helpful
Customers Also Viewed These Support Documents