- I hope you are all doing well. I have currently installed a third-party app (Cisco AnyConnect) from Microsoft App Store. I am trying to add this VPN under Settings using PowerShell for all the users.
- In any case you can NOT perform VPN Cert authentication on ISE (Works only for 802.1X Authentications). One good hint is to perform Certificate to Tunnel-Group mapping on the ASA then in ISE you can perform a condition depending on the tunnel-Group name using the following condition studio.
Cisco ISE can be deployed across an enterprise infrastructure, supporting 802.1X wired, wireless, and Virtual Private Networks (VPNs).
Came across this task to set up a posture assessment for workstation domain membership check when connecting with Anyconnect (AC) VPN to Cisco ASA and enforce access based on compliance. ISE was already deployed for simple VPN authentication so, first of all, I had to make a decision on what to use: ASA host scan (requires ASA APEX license) or ISE posture assessment. Great feature comparison here but if it comes down to price then it is about $10 versus $7 per user for ASA vs ISE. And since ISE offers more flexibility it was picked for the final solution.
There are a few Cisco 1, 2 and non Cisco guides there so here I’ll just fill in missing pieces.
- Get APEX license to support posture for ISE in addition to Base License which you should have already.
- Upload and enable proper AC package on ASA. The package you need is anyconnect-….webdeploy-k9.pkg. All necessary files will be included in it. At the time of writing, my file version was anyconnect–win-4.6.04056-webdeploy–k9.pkg. Once file is uploaded use this command to enable it.
- Enable ISE posture module to be installed on the endpoint.
group-policy DfltGrpPolicy attributes
anyconnect modules value iseposture
- Create ACL on ASA to allow DNS requests and traffic to ISE nodes. Redirect all other web traffic for posture to take place.
access-list redirect extended deny udp any any eq domain
access-list redirect extended deny ip any host <ISE IP>
access-list redirect extended permit tcp any any eq www
- Add dynamic authorization under ISE aaa-server group
aaa-server ISE protocol radius
interim-accounting-update periodic 1
- Make sure accounting is enabled under default tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
This will conclude ASA configuration.
Some good debugging commands to troubleshoot posture-related issues on ASA.
- debug aaa url-redirect
- debug aaa authorization
- debug radius dynamic-authorization
- debug radius decode
- debug radius user <USERNAME>
- show vpn-sessiondb detail anyconnect filter name <USERNAME>
Now move on to ISE.
First get you latest posture updates. Administration> System> Settings> Posture> Updates.
Make sure your posture portal is setup with publicly signed certificate otherwise users will get trust errors. With some providers, you can not generate a wildcard certificate so you will have to include all Policy Service Nodes (PSN) FQDN as a separate SAN field in CSR or generate individual certificate per node. When done attach certificate to proper Portal group.
Configure the following elements for Client Provisioning under Work Centers > Posture> Client Provisioning > Resources
- Posture Agent Profile. Populate Discovery host with PSN FQDNs and Call Home list with PSN FQDNs and IP addresses.
- Next upload AC package to ISE. This is the anyconnect-…predeploy-k9.zip file that you can find on Cisco AC download page. Select “Agent resources from local disk“. Make sure and give a meaningful name so it will be easier to identify.
AC version on ISE has to match the one on ASA otherwise you will get an error message.
- Download the latest compliance modules from Cisco for Windows/OSX and Supplicant Provisioning Wizard.
- Finally, create AnyConnect configuration for use in client provisioning policy.
AC configuration settings are below.
- Create Client Provisioning Policy under Policy> Client Provisioning
Next, build a Posture Policy. I’m not going to cover different posture checks at this time. Remember on the policy there is an option to put it in audit mode so you can test it out before enforcing.
Since ISE reporting is not the greatest for customization and flexibility I’m using Splunk searches to get quick reports. How to get ISE logs into Splunk I covered in this post.
KB ID 0001155
To be honest it’s probably a LOT easier to do this with Dynamic Access Policies, but hey, if you have ISE then why not use it for RADIUS, and let it deploy downloadable ACL’s to your remote clients and give them different levels of access, based on their group membership.
I’m going to keep things simple, I will have a group for admins that can access anything, and a group for users that can only RDP to internal servers.
I always assume things will break, so I’m also going to create a local user on the ISE deployment, so if Active Directory is down I will have a user account I can use to gain full access in the event of an emergency.
In production you will have plenty of users, but to test Im going to create a test user, and a test admin user.
Then put those users in an appropriate Active Directory security group, (here I’m using VPN-Users and VPN-Admins).
Now you will also need a ‘Tunnel-Group and a matching Group-Policy on the ASA to map the user groups to. That way, when a user connects they can pick the appropriate tunnel group like so;
So what I’ve done is setup AnyConnect and configured it properly, (see article below) then I’ve simply ‘cloned‘ the tunnel group, and group policy to create a VPN-ADMIN and VPN-USERS tunnel-group ,and a group-policy. So my ASA config is as follows;
Create a Local Admin Group in Cisco ISE
On your Cisco ISE Deployment > Identity Management > Groups > Add.
Give the group a name and optional description > Save.
To create an admin user > Administration > Identity Management > Identities > Add.
Create the new admin user > set the password > add the user to the group you create above.
Adding Domain Groups To Cisco ISE
I’m assuming you have joined ISE toActive Directory > To check Administration > Identity Management > External Identity Sources > Ensure the domain is joined and operational.
Groups > Add.
Locate and add the groups you created above.
Add An Active Directory Identity Source Sequence
We need to authenticate against our AD, but we want it to fail back to the ISE local database, (for our local admin). To do that we use and identity source sequence. Administration > Identity Management > Identity Source Sequence > Add.
Give the sequence a name and add your AD and Internal Users.
MAKE SURE you select ‘Treat as if the user was not found and proceed to the next store in the sequence’ > Submit.
Add Cisco ASA to Cisco ISE as a RADIUS Device.
Administration > Network Resources > Network Device Groups > All Device Types > Add.
Add a device GROUP for your ASA(s) > Submit.
Administration > Network Resources > Network Devices > Add.
Add in the ASA > Provide its IP address, and add it to the group you created above > Set a RADIUS Shared Secret > Submit.
Ise Vpn Authentication
The shared secret must be the same on the ASA in the AAA config, like so;
Cisco ISE Create Downloadable Access Control Lists DACL
Policy > Policy Elements > Results > Authorisation > Downloadable ACL’s > Add.
Create an ACL for our VPN-USER group, that will only allow RDP (TCP 3389) > Submit.
Repeat the process to create an ACL that allows everything, (for our VPN-ADMINS) > Submit.
Cisco ISE Create Authorisation Profiles
Policy > Policy Elements > Results > Authorisation > Authorisation Profiles > Add.
Create a profile for VPN-ADMINS > Set the correct DACL.
Set the advanced attributes > Change to RADIUS.
Set the OU to equal the group-policy that you want the ASA to apply > Submit.
Use Vpn To Change Location
Create another profile for your VPN-USERS > Set the correct ACL.
RADIUS > Class-25 > OU set to the group-policy on your ASA for the normal users > Submit.
Is Vpn Worth It
Cisco ISE Enable Policy Sets
Note: only available on newer versions of ISE: Administration > System > Settings > Policy Sets > Enabled > Submit.
Policy > Policy Sets > Add.
Continue to PART TWO