Solved: Re: Cisco ISE automatic assign group policy for ASA AnyConnect

MarcinS · ‎02-11-2022

Hello,

I have problem with configuration automatic assign group policy on ASA. I want to set the full tunnel or split tunnel to user based on his OU in the Active Directory. Im trying use the ISE for this purpose but at the end when the user is connected he still have default routes even if the group policy are changed. Below some screenshots from my configuration :

ip local pool AddressPoolForAnyconnectSplitTunnel 10.255.251.100-10.255.251.110 mask 255.255.255.0
ip local pool AddressPoolForAnyconnectAllwaysOn 10.255.252.100-10.255.252.110 mask 255.255.255.0

dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
access-list ACL_SPLIT_TUNNEL standard permit 10.1.1.0 255.255.255.0
aaa-server CISCO-ISE protocol radius
 dynamic-authorization
aaa-server CISCO-ISE (management) host *.*.*.*
 
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
webvpn
 enable OUTSIDE
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 http-headers
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.10.04065-webdeploy-k9.pkg 1
 anyconnect profiles AnyConnectProfile disk0:/anyconnectprofile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 dns-server value *.*.*.*
 vpn-simultaneous-logins 10
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value *.org
 address-pools value AddressPoolForAnyconnectSplitTunnel
 webvpn
  anyconnect profiles value AnyConnectProfile type user
group-policy GroupPolicyForVPN internal
group-policy GroupPolicyForVPN attributes
 banner value SPLIT VPN
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_SPLIT_TUNNEL
 address-pools value AddressPoolForAnyconnectSplitTunnel
 webvpn
  anyconnect profiles value AnyConnectProfile type user
group-policy GroupPolicyForALLWAYSON internal
group-policy GroupPolicyForALLWAYSON attributes
 banner value ALWAYS ON VPN
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-all-dns enable
 address-pools value AddressPoolForAnyconnectAllwaysOn
 webvpn
  anyconnect profiles value AnyConnectProfile type user
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CISCO-ISE
 authorization-server-group CISCO-ISE
 accounting-server-group CISCO-ISE

In the ASA i see different group policy for different users with have the different tunnel setting, but on the anyconnect client routes are not changing and i allways see protected routes 0.0.0.0/0
I would be greaftul for help to resolve this problem

Rob Ingram · ‎02-14-2022

@MarcinS you just need to push down the Group Policy, the split tunnel and banner are configured locally on the ASA within the group policy.

Also consider this bug and potentially look to upgrade.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa08262

View solution in original post

MHM Cisco World · ‎02-11-2022

auth-server-group ISE ip address <- this missing from the config under each tunnel-group.

MHM Cisco World · ‎02-11-2022

By Defualt tunnel-group use internal aaa, you must config ip of ise to make asa send request to ise.

Aref Alsouqi · ‎02-11-2022

Interesting! I don't see anything wrong with your config from a quick check, and I don't believe using a single tunnel group would cause any issue, but just for testing, try to create two new tunnel groups, and associate a group policy to each one and see if that makes any difference. That would be the way how I would do it. Maybe @Rob Ingram has an idea.

Rob Ingram · ‎02-11-2022

@MarcinS configuration looks ok. What ASA and AnyConnect versions are you running? I've confirmed it works using a similar configuration on ASA 9.16(1) and AnyConnect 4.8.03036, user is assigned a group-policy via ISE and the split tunnel routes are applied as expected.

Enable debugs from CLI and provide the output, use debug webvpn anyconnect 255.

You shouldn't need authorization-server-group CISCO-ISE configured under the tunnel-group, ISE will authorise the session anyway, usually you get an error in the ISE logs post a successful authentication.

MarcinS · ‎02-14-2022

I have ASA 9.12(4)37 anyconnect 4.10.04065 and ISE 2.7 patch 6

Now i changed the configuration on ISE and sent also in the configuration the tunnel type. I need to check it to be shure but its look like itw working, but i'm not sure that is correct way. I dont saw anywhere that kind of configuration. Did anyone made some configuration like this ?

Rob Ingram · ‎02-14-2022

@MarcinS you just need to push down the Group Policy, the split tunnel and banner are configured locally on the ASA within the group policy.

Also consider this bug and potentially look to upgrade.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa08262

MarcinS · ‎02-17-2022

I can confirm that it was a bug, after upgrade to version Version 9.12(4)38 everything works

Aref Alsouqi · ‎02-14-2022

Nothing wrong with using ISE, rather, I would prefer using ISE wherever possible. From the screenshot above you don't seem to push the tunnel group name to be associated to the connections.

The way how I would do it on ISE would be to create the authentication rules defining the landing tunnel groups, and then creating the authorization rules to enforce the accesses based on the tunnel group, example:

Authentication Rule:

- Cisco-VPN3000-CVPN3000/ASA-PIX7x-Tunnel-Group-Name EQUALS ALWAYSON > Point this to the AD

Authorization Rule:

- Cisco-VPN3000-CVPN3000/ASA-PIX7x-Tunnel-Group-Name EQUALS ALWAYSON
- The AD group name

The tunnel groups need to be created on the firewall.

By doing this, when a user tries to connect to the VPN, the firewall will relay the authentication and the authorization requests to ISE, ISE will then check if the user passed the authentication, and it will carry on to check which authorization rule would be matched,, and finally will return the attributes to the firewall that in turn will apply the association. One the user has been associated to the right tunnel group, all the other attributes that are configured on the tunnel group (among those the group policy) will be applied to the user session.

MarcinS · ‎02-14-2022

@Aref Alsouqi the authentication i check by saml to office365 to have enabled mfa for users. Now im wondering if i can switch the authentication from saml to localAD for some users. I also want test ASA and try to boot an firmware ASA 9.16(1) to be shure that this is the bug.

Rob Ingram · ‎02-14-2022

@MarcinS if it's some users then you could create another tunnel-group/connection profile just for those users, specify a different authentication server

Aref Alsouqi · ‎02-14-2022

If you just want to change the authentication for some users then they way how I would do it would be to point to ISE as the authentication and the authorization server, and then let ISE check the authentication requests for both SAML and AD.

In that case from the firewall perspective you just keep pointing to ISE, and then on ISE you create the SAML identity provider and you add it to the authentication rules. Now on the authorization rules if you don't want to separate the users authenticating against your AD from the SAML ones in terms of the tunnel group, then you can just remove the condition of the AD group from the authorization rule. Basically, that rule would only look at the tunnel group and allow accesses to the network.