AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 2)

Advertisement

KB ID 0001156 Dtd 09/02/16

Problem

Carrying on from PART 1

Solution

Add  > Create Before.

00031

Edit the Policy

00032

Giv the policy set a name and description > Create a new condition.

00033

Set Description to Device Type.

00034

Equals > All Device Types (The Device Group You Created Above).

00035

Add attribute value.

00036

Set Description to RADIUS.

00037

NAS-Port-Type-[61].

00038

Equals  > Virtual.

00039

Edit the Authentication Policy.

00040

Change the identity source to the the identity source sequence you created above.

00041

Authorisation Policy > Insert New Rule Above.

00042

Give it a Name i.e. VPN-ADMIN-RULE > Create New Condition.

Authorisation Policy Condition

Set Description to your Active Directory.

Specify AD in ISE

External Groups.

ISE External Group Authentication

Select your AD group (VPN-Admins).

ISE Service Acounts

Set Permissions to Standard.

Standard ISE

Select your VPN-Admins authorisation profile.

ISE Authentication Profile

Add another rule (directly below) of your VPN-Users and set this one to use the user profile.

Policy Sets ISE

Add a further rule (below that) for your LOCAL admin in the ISE database.

Cisco ISE New Rule

Set User Identity Groups to VPN-Admins.

ISE User Identity Groups

Note: this is the LOCAL group in ISE, NOT the domain security group.

VPN Admins

Again use the admin authorisation profile.

Admin profile ISE

Finally you need to change the ‘Default’ rule to ‘Deny Access’, (or they will just hit the default allow and get in anyway!)

00054

Now you can test.

Related Articles, References, Credits, or External Links

AnyConnect Group Authentication With Cisco ISE and Downloadable ACLs (Part 1)

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *