07-13-2021 11:08 AM
FTD v6.7
Anyconnect 4.9
I am using SAML authentication from FTD and ISE for Authorization only. I am also using ISE to change the user's group policy based on the OU. When using ISE as the authentication and authorization server, everything works as expected. When using SAML authentication, I get the proper authentication response but ISE rejects it due to improper OU assignment. This is working as expected. However, my users are still able to connect even when authorization is rejected. I am expecting that the result of access-reject would keep the user from connecting but it isn't.
I am seeing the following logs that lead me to believe I am falling back to the group policy that is assigned to the connection profile. Would I be better off using a dummy group policy in that profile? I think it would be best if I could just reject a user based on an authorization reject.
Jul 13 2021 17:54:55: %FTD-6-716038: Group <DfltGrpPolicy> User <username> IP <11.22.33.44> Authentication: successful, Session Type: WebVPN. Jul 13 2021 17:54:55: %FTD-6-113005: AAA user authorization Rejected : reason = AAA failure : server = 10.200.44.19 : user = username : user IP = None Jul 13 2021 17:54:55: %FTD-6-113009: AAA retrieved default group policy (GP_SJ_EMPLOYEES) for user = username Jul 13 2021 17:54:55: %FTD-6-113008: AAA transaction status ACCEPT : user = username Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.grouppolicy = GP_SJ_EMPLOYEES Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username = username Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username1 = username Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.username2 = Jul 13 2021 17:54:55: %FTD-7-734003: DAP: User username, Addr 11.22.33.44: Session Attribute aaa.cisco.tunnelgroup = CP_SJ_EMPLOYEES Jul 13 2021 17:54:55: %FTD-6-734001: DAP: User username, Addr 11.22.33.44, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy Jul 13 2021 17:54:55: %FTD-6-113039: Group <GP_SJ_EMPLOYEES> User <username> IP <11.22.33.44> AnyConnect parent session started. Jul 13 2021 17:54:55: %FTD-6-113004: AAA user accounting Successful : server = 10.200.44.19 : user = username
07-13-2021 11:25 AM
Assuming all authorised users would receive a different group policy from ISE, which is different to the default group policy assigned to the tunnel group, set the default group policy to deny connections. Therefore any connection failing authorisation would be denied access.
vpn-simultaneous-logins 0
07-13-2021 11:32 AM
Thanks @Rob Ingram . This works. I assigned the Default Group Policy to my profile and let ISE dictate all assigned GPs. With a simultaneous login of 0, it does fail. The failure process is not very dramatic though. It basically just doesn't connect after entering credentials. I am good with this but do you know of a way that would show an error message instead?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide