Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1864
Views
2
Helpful
16
Replies

What is best way to control vpn users acces via cisco ise

User_80617
Level 1
Level 1

‎07-25-2023 02:22 AM

Hello,

So, we have below requirement. We have firepower firewall and ciso ise version 3.1 on aws

Setup a VPN profile for around 75 vendors. Each vendor will have its own access. I see currently following options

1. Create single vpn connection profile on firepower. Create 75 authorization policies for each vendors on ise. So if user1 belongs to ad group vendor1, apply DACL to him pushed on firepower firewall. This seems good method as access policies will be applied for each user dynamically.

The problem with this approach is, suppose there are 300 users. There will be surge in DACLs on firepower. What is limit for an 6 core firepower container in terms of DACLs. Also, DACLs are checked first or the normal access policies will checked first? How scalable this option would be.

2. This approach i personally dont like but it works as well. So in cisco ise authorisation profile make user to put in a group-policy on firepower as per the ad group they belong to. There will be 75 group-policies on firepower (with single connection profile) and each group polciy will have a vpn-filter list configured that will control access to users.

3. I dont know if this works. So, here cisco ise informs firepower to assign the ip pool to each user as per respective ip pool defined for a vendor on firepower. And then the access control will be done on basis on access policy for ip pool. So, vendor1 and 2 will be assigned a pool 10.20.20.0/28 and allow them to get rdp of jump server 1. 

Can someone guide which is best way to implement this and some cisco documentation etc to deploy, faq, limitations etc. 

16 Replies 16

User_80617
Level 1
Level 1
In response to tvotna

‎11-21-2023 05:31 AM - edited ‎11-21-2023 05:32 AM

Hi @tvotna @Rob Ingram Assigning group policy attribute may work but i dont want to use that, as we have more than 50+ vendors and dont want to create so many group policies. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-21-2023 05:46 AM

I would authenticate with SAML and then authorize via ISE. Use VPN filters as part of the authorization result. That will dynamically associate a vpn-filter ACL with users based on their membership in a given AD group which ISE can check during the authorization policy condition evaluation.

0 Helpful
Customers Also Viewed These Support Documents