Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2547
Views
5
Helpful
3
Replies

Anyconnect on ASA using ISE and DACL

Go to solution
tahscolony
Level 1
Level 1

‎07-11-2016 12:05 PM

We are migrating off the IPSec client on IOS which uses ip pools to determine who has access to what based on their client profiles.  Since IPSec has been EOL for a while now, and is no longer supported on Windows(or PCI for that matter), the ext step is Anyconnect.

What I want to do is simplify the firewall configuration so that there is basically just one Anyconnect group, access to internal hosts would depend on the users Group Policy.  So if a user is allowed access to a single host, I would want ISE(we currently have ACS setup to do this with SSL) to authenticate the user, check the users GPO and assign them a DACL to the host(s) they are allowed access to.  This way I don't have a larger ACL on the firewall and multiple IP pools for the VPN. I can assign a /24 subnet for all Client connections and let ISE permit/deny their access once authenticated.

I came upon this. https://communities.cisco.com/docs/DOC-68158, and wonder, is this what I am looking for?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-11-2016 12:51 PM

Hi

This is the right document.

You can also take a look on SGT 

http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

In your design, simple CoA could be enough 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-11-2016 12:51 PM

Hi

This is the right document.

You can also take a look on SGT 

http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-networks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf

In your design, simple CoA could be enough 

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
tahscolony
Level 1
Level 1
In response to Francesco Molino

‎07-11-2016 02:11 PM

SGT would be nice if it weren't for some Junipers in between the ASA, ISE, and WLC's. :)  Thanks, I will dig into this and see if I can get it to work.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to tahscolony

‎07-11-2016 02:41 PM

Ok no pb


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents