Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
0
Helpful
6
Replies

Cisco ISE + Cisco FTD + Cisco Anyconnect VPN and Authorization Profile

devnetwise
Level 1
Level 1

‎11-02-2021 02:26 PM

Hello experts,

 

I got the following setup:

Cisco ISE + Cisco FTD + Cisco Anyconnect VPN

 

On Cisco FTD I have configured Cisco Anyconnect VPN profile with Authentication done through AD while Cisco ISE is the Authorization server. On Cisco ISE I have created a Policy Set with Authentication profile (Continue/Continue/Continue) while in Authorization Profile I got two rule a) User Member of VPN Group and b) NoAccess. If the user is not a member of VPN group, it's hitting the NoAccess but still the user is enabled to login to Cisco Anyconnect VPN. On Cisco FTD I have configured a policy named NoAccess with "Simultaneous Login Per User" to 0.

 

NoAccess.PNG

 

In Cisco ISE I have created an Authorization Profile as "Result" with "Access Type = ACCESS_REJECT
Class = NOACCESS". Although it's hitting the correct Authorization rule "NoAccess" the user is still able to login into Cisco Anyconnect client. I think that Cisco ISE is not sending the Class = NOACCESS with ACCESS_REJECT back to Cisco FTD in order to block the user to login.

 

I hope someone can help me to resolve this issue or have any other suggestion on how to get this working.

 

Thanks.

 

Regards,

Sal

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎11-03-2021 01:42 AM

When the user is logged in, do a 

show vpn-sessiondb detail anyconnect

there you see which group-policy is applied. Also look at the details of the ISE live-log where you see at the bottom which attributes are sent to the firewall.

 

0 Helpful

devnetwise
Level 1
Level 1
In response to Karsten Iwen

‎11-03-2021 03:26 AM

Hi Karsten,

 

Thanks for you reply. I can see that the correct group policy has been applied:

 

Username : ############ Index : 194
Assigned IP : ############ Public IP : ############
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 3319652 Bytes Rx : 3378615
Pkts Tx : 7966 Pkts Rx : 9056
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_SSLVPN_TEST
Tunnel Group : SSLVPN_TEST
Login Time : 09:56:33 UTC Wed Nov 3 2021
Duration : 0h:20m:25s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 3e8455a2000c200061825cd1
Security Grp : none Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

 

The attributes sent to firewall:

 

Capture.PNG

 

I think the issue is that ISE is not sending the radius attribute "Class = NOACCESS" back to the firewall which is the name of Group Policy with Simultaneous Login Per User = 0

 

Thanks.

0 Helpful

Karsten Iwen
VIP
VIP
In response to devnetwise

‎11-03-2021 03:35 AM

Where does the Group-Policy GroupPolicy_SSLVPN_TEST come from? The local FTD-config?

How have you configured the CLASS attribute? Did you use the Common Task "ASA VPN" ore something else?

0 Helpful

devnetwise
Level 1
Level 1
In response to Karsten Iwen

‎11-03-2021 03:46 AM

Hi Karsten,

 

The Group-Policy GroupPolicy_SSLVPN_TEST is coming from the local FTD. I have configured the CLASS attribute by using the common task "ASA VPN". I have also tried using the Advanced Attributes Settings and by added Radius-Class = NOACCESS but it didn't help either.

 

I'm trying to achieve if a VPN User is not a member of a particular Group in AD, the user should not be able to login into Cisco Anyconnect VPN. To achieve that I have configured an "empty" Group Policy in FTD called NOACCESS and I have only changed the "Simultaneous Log Per User to 0". When a user is not a member of VPN group, Cisco ISE should send this attribute back to FTD and hence the user would not be able to login. Maybe you have another idea to achieve this?

 

Thanks.

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to devnetwise

‎11-03-2021 03:56 AM

For that use-case, sending back an Access-Reject, for example by using the default DenyAccess Authorisation Profile should be enough.

But there could be something more wrong in your ISE if a configured attribute is not sent back to the NAD.

0 Helpful

devnetwise
Level 1
Level 1
In response to Karsten Iwen

‎11-03-2021 04:06 AM

Hi Karsten,

 

In the beginning I tried to use the default DenyAccess Authorization profile, but it wasn't working that is why I had to create this. But you are right that Cisco ISE is not sending the right attribute to FTD and I do not know the reason.

 

Thanks.

Regards,

Sal

0 Helpful
Customers Also Viewed These Support Documents