Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2625
Views
5
Helpful
10
Replies

FMC, FTD, ISE, and Using dACLs with AnyConnect

Go to solution
jmashburn-LCT
Level 1
Level 1

‎04-21-2021 01:40 PM

Good Day All,

 

I am trying an evaluation of ISE 3.0, to which I am a noob, and I am running into an issue. I am wanting to deploy dACLs to users authenticating to our VPN via AnyConnect. I just have the VPN module and no other module. I'm using ISE as a RADIUS server, and I have pxGrid integrated with FMC. Not sure if all of this is relevant. Now, when I block access to a publicly available resource, I connect to the VPN just fine. When I block a private IP or subnet, then AnyConnect will immediately disconnect after connecting. There are 2 funny things about this. Firstly, when I add a private IP that isn't even configured anywhere on the corporate network, it does the disconnect. The second thing is when I look in ISE's live monitoring section for RADIUS, I can see that the attempts where successful and that there is a live session. Is it possible to use dACLs to block access to specific private IPs, or will have to use group policy ACLs to achieve this? Any guidance would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmashburn-LCT
Level 1
Level 1

‎05-27-2021 07:58 AM

So, I finally figured this out (a while ago actually, I just remembered I had this community support forum post). Been super busy.

 

*sigh* I didn't have CoA enabled on the RADIUS configuration on the ASA..... Kind of helps when you have that enabled when you're trying to use DACLs..... Anyways, thanks Rob for the assistance!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2021 01:53 PM

@jmashburn-LCT 

What version of FMC/FTD are you running?

Turn on debugs on the FTD and provide the output for review for conections when you fail to connect.

I'd generally use the Access Control Policy to filter traffic rather than a DACL, why do you want to use a DACL?

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 02:03 PM

FMC and FTD version 6.4.0.4.

I'll try to get those logs here in a bit.

The goal is to use a single VPN profile (both tunnel group and group policy) for all users and use dACLs to lock down access via RADIUS/ISE.

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2021 02:09 PM

@jmashburn-LCT 

That's pretty dated, plenty more useful RAVPN features in every version since then.

Regardless, you can still have a single tunnel-group and group-policy, that got nothing to do with it. The ACP controls what the user can access once connected.

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 02:13 PM

Yea, I've been meaning to get our FMC and FTD units up on 6.6.1. This might be an excuse to finally do it. Anyways, I'll check out ACPs and get those logs.

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1
In response to jmashburn-LCT

‎04-22-2021 08:35 AM

Rob,

 

Upon further investigation, I can see that FMC is showing my pxGrid integration with FMC for authentication when connecting to the VPN profile configured to use ISE. Maybe I need to add a Policy Set in ISE to allow clients authenticating via pxGrid? Do I need to create/add a SGT in ISE and assign it to the ACP in FTD? I'll try some things out and see what happens.

 

Also, I see what you mean by using ACPs and it makes sense. I'd still like to have ISE handle the handing out of the access control mechanism when users are connecting to the VPN if possible.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmashburn-LCT

‎04-22-2021 09:20 AM

@jmashburn-LCT 

No you don't need to create a specify policy set in ISE for pxgrid authentications. As long as the user is authenticated, the ip-user binding will be sent to the FMC. You can use SGT if you wish, just assign it in the AuthZ policy to the users, then reference the SGT as source in the ACP.

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1
In response to Rob Ingram

‎04-22-2021 01:20 PM

Here is what I am debugging:

 

debug aaa authentication enabled at level 1
debug aaa authentication enabled at level 1 (persistent)
debug aaa authorization enabled at level 1
debug aaa authorization enabled at level 1 (persistent)
debug aaa accounting enabled at level 1
debug aaa accounting enabled at level 1 (persistent)
debug aaa internal enabled at level 1
debug aaa internal enabled at level 1 (persistent)
debug aaa url-redirect enabled at level 1
debug aaa url-redirect enabled at level 1 (persistent)
debug aaa common enabled at level 1
debug aaa common enabled at level 1 (persistent)
debug ldap enabled at level 1
debug ldap enabled at level 1 (persistent)
debug webvpn enabled at level 1
debug webvpn enabled at level 1 (persistent)

 

And the only thing I see in the debugs are:

 

Resetting <ISE>'s numtries
Resetting 0.0.0.0's numtries
Resetting <ISE>'s numtries

 

Any other debugs that can help with figuring this out? I'll try this on my laptop later and see if I can get DART to get me something useful.

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1

‎05-12-2021 02:18 PM

Sorry it took me so long to get this post updated, but I have been a busy bee. Anyways, I have these debugs that are showing the DACL having issues when it is applied to the client. 

 

Got AV-Pair with value ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-Lab-Only-609c37a9
Added ATTR_FILTER_ID with name:#ACSACL#-IP-Lab-Only-609c37a9
RADIUS_ACCESS_ACCEPT: normal termination
radius mkreq: 0x1daf
alloc_rip 0x00002ae9afd5ce00
new request 0x1daf --> 125 (0x00002ae9afd5ce00)
got user '#ACSACL#-IP-Lab-Only-609c37a9'
add_req 0x00002ae9afd5ce00 session 0x1daf id 125
RADIUS_DELETE
remove_req 0x00002ae9afd5d6b0 session 0x1dad id 124
free_rip 0x00002ae9afd5d6b0

 

rad_procpkt: ACCEPT
Got AV-Pair with value ip:inacl#1=deny ip any 10.255.255.0 0.0.0.255 <--Not a subnet in our environment
Got AV-Pair with value ip:inacl#2=permit ip any any
RADIUS_ACCESS_ACCEPT: normal termination
Processing ACL: deny ip any 10.255.255.0 0.0.0.255
Dynamic ACL "#ACSACL#-IP-Lab-Only-609c37a9" was given acl id -1
ACE error, deleting fragment ACL: #ACSACL#-IP-Lab-Only-609c37a9
RADIUS_DELETE
remove_req 0x00002ae9afd5ce00 session 0x1daf id 125
free_rip 0x00002ae9afd5ce00
radius: send queue empty

0 Helpful

Go to solution
jmashburn-LCT
Level 1
Level 1

‎05-27-2021 07:58 AM

So, I finally figured this out (a while ago actually, I just remembered I had this community support forum post). Been super busy.

 

*sigh* I didn't have CoA enabled on the RADIUS configuration on the ASA..... Kind of helps when you have that enabled when you're trying to use DACLs..... Anyways, thanks Rob for the assistance!

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1

‎09-02-2021 05:20 PM

To be thorough, anyone having issues with dynamic ACL's and FDM, where the debug output shows entries like this:

 

ACE error, deleting fragment ACL
still can't find ACL?

 

You will need to use regular netmasks and not wildcard networks. It appears the FTD cannot handle wildcard netmasks, where the ASA could handle either one, or even autodetect. While ISE may already convert this for FTD, some Radius servers will not convert the netmask, such as Microsoft NPS.

 

Just an FYI that might save someone a lot of trouble someday, as FDM has almost zero documentation as to the subtleties surrounding it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents