07-11-2016 12:05 PM
We are migrating off the IPSec client on IOS which uses ip pools to determine who has access to what based on their client profiles. Since IPSec has been EOL for a while now, and is no longer supported on Windows(or PCI for that matter), the ext step is Anyconnect.
What I want to do is simplify the firewall configuration so that there is basically just one Anyconnect group, access to internal hosts would depend on the users Group Policy. So if a user is allowed access to a single host, I would want ISE(we currently have ACS setup to do this with SSL) to authenticate the user, check the users GPO and assign them a DACL to the host(s) they are allowed access to. This way I don't have a larger ACL on the firewall and multiple IP pools for the VPN. I can assign a /24 subnet for all Client connections and let ISE permit/deny their access once authenticated.
I came upon this. https://communities.cisco.com/docs/DOC-68158, and wonder, is this what I am looking for?
Solved! Go to Solution.
07-11-2016 12:51 PM
Hi
This is the right document.
You can also take a look on SGT
http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
In your design, simple CoA could be enough
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-11-2016 12:51 PM
Hi
This is the right document.
You can also take a look on SGT
http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
In your design, simple CoA could be enough
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
07-11-2016 02:11 PM
SGT would be nice if it weren't for some Junipers in between the ASA, ISE, and WLC's. :) Thanks, I will dig into this and see if I can get it to work.
07-11-2016 02:41 PM
Ok no pb
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: