Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
5
Helpful
2
Replies

User access still granted even with authorization fails

Josh Morris
Level 3
Level 3

‎07-13-2021 11:08 AM

FTD v6.7

Anyconnect 4.9

 

I am using SAML authentication from FTD and ISE for Authorization only. I am also using ISE to change the user's group policy based on the OU. When using ISE as the authentication and authorization server, everything works as expected. When using SAML authentication, I get the proper authentication response but ISE rejects it due to improper OU assignment. This is working as expected. However, my users are still able to connect even when authorization is rejected. I am expecting that the result of access-reject would keep the user from connecting but it isn't. 

 

I am seeing the following logs that lead me to believe I am falling back to the group policy that is assigned to the connection profile. Would I be better off using a dummy group policy in that profile? I think it would be best if I could just reject a user based on an authorization reject.

Jul 13 2021 17:54:55: %FTD-6-716038: Group <DfltGrpPolicy> User <username> IP <11.22.33.44> Authentication: successful, Session Type: WebVPN.
Jul 13 2021 17:54:55: %FTD-6-113005: AAA user authorization Rejected : reason = AAA failure : server = 10.200.44.19 : user = username : user IP = None
Jul 13 2021 17:54:55: %FTD-6-113009: AAA retrieved default group policy (GP_SJ_EMPLOYEES) for user = username
Jul 13 2021 17:54:55: %FTD-6-113008: AAA transaction status ACCEPT : user = username
Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.grouppolicy = GP_SJ_EMPLOYEES
Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username = username
Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username1 = username
Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username2 = 
Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.tunnelgroup = CP_SJ_EMPLOYEES
Jul 13 2021 17:54:55: %FTD-6-734001: DAP: User username, Addr 11.22.33.44, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Jul 13 2021 17:54:55: %FTD-6-113039: Group <GP_SJ_EMPLOYEES> User <username> IP <11.22.33.44> AnyConnect parent session started.
Jul 13 2021 17:54:55: %FTD-6-113004: AAA user accounting Successful : server =  10.200.44.19 : user = username
Labels:
2 Replies 2

Rob Ingram
VIP
VIP

‎07-13-2021 11:25 AM

@Josh Morris 

Assuming all authorised users would receive a different group policy from ISE, which is different to the default group policy assigned to the tunnel group, set the default group policy to deny connections. Therefore any connection failing authorisation would be denied access.

 

vpn-simultaneous-logins 0

 

0 Helpful

Josh Morris
Level 3
Level 3
In response to Rob Ingram

‎07-13-2021 11:32 AM

Thanks @Rob Ingram . This works. I assigned the Default Group Policy to my profile and let ISE dictate all assigned GPs. With a simultaneous login of 0, it does fail. The failure process is not very dramatic though. It basically just doesn't connect after entering credentials. I am good with this but do you know of a way that would show an error message instead?

0 Helpful
Customers Also Viewed These Support Documents