07-25-2023 02:22 AM
Hello,
So, we have below requirement. We have firepower firewall and ciso ise version 3.1 on aws
Setup a VPN profile for around 75 vendors. Each vendor will have its own access. I see currently following options
1. Create single vpn connection profile on firepower. Create 75 authorization policies for each vendors on ise. So if user1 belongs to ad group vendor1, apply DACL to him pushed on firepower firewall. This seems good method as access policies will be applied for each user dynamically.
The problem with this approach is, suppose there are 300 users. There will be surge in DACLs on firepower. What is limit for an 6 core firepower container in terms of DACLs. Also, DACLs are checked first or the normal access policies will checked first? How scalable this option would be.
2. This approach i personally dont like but it works as well. So in cisco ise authorisation profile make user to put in a group-policy on firepower as per the ad group they belong to. There will be 75 group-policies on firepower (with single connection profile) and each group polciy will have a vpn-filter list configured that will control access to users.
3. I dont know if this works. So, here cisco ise informs firepower to assign the ip pool to each user as per respective ip pool defined for a vendor on firepower. And then the access control will be done on basis on access policy for ip pool. So, vendor1 and 2 will be assigned a pool 10.20.20.0/28 and allow them to get rdp of jump server 1.
Can someone guide which is best way to implement this and some cisco documentation etc to deploy, faq, limitations etc.
11-21-2023 05:31 AM - edited 11-21-2023 05:32 AM
Hi @tvotna @Rob Ingram Assigning group policy attribute may work but i dont want to use that, as we have more than 50+ vendors and dont want to create so many group policies.
11-21-2023 05:46 AM
I would authenticate with SAML and then authorize via ISE. Use VPN filters as part of the authorization result. That will dynamically associate a vpn-filter ACL with users based on their membership in a given AD group which ISE can check during the authorization policy condition evaluation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide