When users authenticate to AD through ISE for SSLVPN connections, the ASA lists the users as being in domain \LOCAL. The \LOCAL\User + IP address can now be passed to Context Directory Agent and be available for Identity-based firewalls. The problem is that I can't configure ASA ACLs based on AD groups for VPN users since they show in domain \LOCAL.
Is it possible to either pass a RADIUS attribute to update the domain on the VPN ASA from \LOCAL to an actual AD domain or to change the \LOCAL to an actual AD domain on Context Directory Agent?
If the above is not possible, my work around is to use SGFW SGT rules to simulate AD groups and use \LOCAL\User IDBF rules for individual access. I can pass the SGT/IP mapping to other ASAs using SXP and pass the \LOCAL\User/IP mapping using CDA.
I was hopeful that the user-identity default-domain SAMPLE would put VPN users in the specified domain when they log in, but it doesn't. I think this command allows you to enter usernames without the domain in ACLs and have the ASA insert it for you.
It would be nice to be able to either overwrite LOCAL with a real domain name on the ASA, or better yet, to be able to pass a RADIUS attribute to the ASA with the accept packet to inform the ASA to place the user in the specified domain in it's internal user database. Without a feature like this, I cannot use AD group based ACLs on the firewall.
The next person who views this, can you just leave a quick reply saying you saw it? I have been in what appears to be a forum black hole for months. It could just be that the forum just isn't what it used to be.
Is there anyone out there? Seriously, I haven't gotten a reply on any discussions in months. What is going on? This used to be such a good place to share experiences and knowledge.
The same user showing as LOCAL\user1 through VPN and DOMAIN\user1 when logged into the windows domain and mapped with CDA is not very useful. First, if I want to configure a user level ACL for this user, it would require two entries. Second, I can't match the user to an AD group ACL when they are logged in through VPN. Unless I am missing something, this solution is not optimally functional.
I see that the newest version of CDA lets you apply a domain to users that don't have a domain specified when it is learned from ISE (802.1x). A feature like this would be nice to be able to override the LOCAL\ domain with an actual domain in CDA for VPN users. I still think it would be better to be able to pass the attribute during authentication through RADIUS for users that were actually authenticated against a domain controller through ISE.
I don't know if you are aware, but if you authenticate directly to AD for VPN users, you do get the actual domain in the ASA user database. Unfortunately, that doesn't work if you have both local ISE users and AD users using VPN. It may be possible to set up different tunnel-groups (one for internal users and one for AD users), but I'm not sure with SSLVPN(Anyconnect). In any case, can posturing be done when using AD authentication?
This leaves IDFW short of being a complete network wide solution.
I found a fix for this issue at least in the environment that I am working in with a single AD domain. I found that if I send RADIUS accounting to ISE instead of directly to CDA from the ASA, ISE will send a user to IP mapping syslog to CDA that does not contain the domain. Since the domain is blank doing it this way, I can insert the domain on CDA. The newest version of CDA allows inserting a domain when one is not present. I am currently using patch 4 that has this feature.
Sending RADIUS accounting direclty from the ASA to CDA does contain the domain LOCAL so it cannot be overwritten.
Mark, we have the exact scenerio... can you please explain how you integrated and what versions of each? Here is what we have and want to do:
- ASA VPN auth's to ISE
- ASA configured with IDFW features and is a consumer of CDA (LDAP to same AD where ISE auths)
- ISE integrated with CDA sending auth/acct logs for wireless and VPN users
Any help would be appreciated, we've been stuck with this for a while.
I believe the feature to insert a domain when one is not included in the syslog is first found in CDA 1.0 patch 3.
I should add that CDA sets the domain to LOCAL by default if one is not provided in the syslog message. I had actually had the ASA to ISE to CDA configured for a while before it was realized that the LOCAL domain seen in CDA was not from the ASA VPN syslog from ISE, but was inserted by CDA since the domain was missing in the syslog. If you update the CDA default domain it will be inserted into the VPN user/ip mapping entry. Wireless to ISE to CDA does include the domain. I think you have to send accounting from ISE to CDA for the domain to show up in ISE.
You don't need to add the ASA as a user/IP mapping source since ISE is sending the syslog. You only add it as a client of CDA and connect it to the domain controller for group membership queries.