Remote-access Guide

asa remote access vpn static ip per user tacacs ise

by Mr. Floyd Klocko Jr. Published 3 years ago Updated 2 years ago

What is Cisco ASA remote access VPN?

Cisco ASA Remote Access VPN. The remote user requires the Cisco VPN client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network. The Cisco VPN client is end-of-life and has been replaced by the Cisco Anyconnect Secure Mobility Client.

How does Cisco asa92-posture authorization profile work?

The remote user uses Cisco Anyconnect for VPN access to the ASA. The ASA sends a RADIUS Access-Request for that user to the ISE. That request hits the policy named ASA92-posture on the ISE. As a result, the ASA92-posture authorization profile is returned.

Is there a second authentication for the ASA VPN posture?

For the ASA VPN posture, there is no second authentication. All of the the attributes are returned in the RADIUS CoA. The VPN session is active and it is not possible to change most of the VPN user settings. Use this section in order to configure the ASA and the ISE. Here is the basic ASA configuration for Cisco AnyConnect access: !

How do I connect to the ASA from another computer?

This allows remote users to connect to the ASA and access the remote network through an IPsec encrypted tunnel. The remote user requires the Cisco VPN client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network.

What is the ASA in a VPN?

The ASA sends a RADIUS Accounting-Request start packet and receives a response. This is needed in order to send all of the details in regards to the session to the ISE. These details include the session_id, external IP address of the VPN client, and the IP address of the ASA. The ISE uses the session_id in order to identify that session. The ASA also sends periodic interim account information, where the most important attribute is the Framed-IP-Address with the IP that is assigned to the client by the ASA ( 10.10.10.10 in this example).

What is Cisco ASA 9.2.1?

The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.

What VPN does a remote user use?

The remote user uses Cisco Anyconnect for VPN access to the ASA.

What happens if a VPN does not have a DACL?

If it does not have the DACLs cached, it must send an Access-Request in order to download them from the ISE. The specific DACL is attached to the VPN session. The next time that the VPN user tries to access the web page, it can access all of the resources that are permitted by the DACL that is installed on the ASA.

How to configure proxy for ISE?

If necessary, you can navigate to Administration > System > Settings > Proxy and configure the proxy for the ISE (to access the Internet).

What is URL redirect ACL?

url-redirect-acl=redirect - this is the Access Control List (ACL) name that is defined locally on the ASA, which decides the traffic that should be redirected.

What is the default authentication rule?

The default authentication rules check the user name in the internal identity store. If this must be changed (checked in the Active Directory (AD), for example), then navigate to Policy > Authentication and make the change:

How many interfaces does an ASA have?

The ASA has two interfaces: inside and outside. Imagine the outside interface is connected to the Internet where a remote user wants to connect to the ASA. On the inside we find R1, I will only use this router so the remote user has something to connect to on the inside network. Let’s look at the configuration!

What is VPN_POLICY?

The group policy is called VPN_POLICY and it’s an internal group policy which means it is created locally on the ASA. You can also specify an external group policy on a RADIUS server. I added some attributes, for example a DNS server and an idle timeout (15 minutes). Split tunneling is optional but I added it to show you how to use it, it refers to the access-list we created earlier.

Does Cisco VPN require ASA?

The remote user requires the Cisco VP N client software on his/her computer, once the connection is established the user will receive a private IP address from the ASA and has access to the network .

Can remote VPN users access certain networks?

If you want to configure an access-list so the remote VPN users can only reach certain networks , IP addresses or ports then you can apply this under the group policy.

Can you use VPN on remote network?

If you don’t want this then you can enable split tunneling. With split tunneling enabled, we will use the VPN only for access to the remote network. Here’s how to enable it:

What is a user admin on ISE?

Two users are created. User administrator is a part of Network Admins local Identity Group on ISE. This user has full CLI privileges. User user is a part of Network Maintenance Team local Identity Group on ISE. This user is allowed to do only show commands and ping.

How to add a command to a tacs?

1. Navigate to Work Centers > Device Administration > Policy Results > TACACS Command Sets. Click Add. Provide the Name PermitAllCommands, select Permit any command that is not listed below checkbox and click Submit.

Is authentication done on ISE?

Note: With the commands above, authentication is done on ISE, user is placed directly into the privilege mode and command authorization takes place.

How to check if IP address is ISE?

Click the gear icon (lower left corner) and navigate to the Statistics tab. Confirm in the Address Information section that the IP address assigned is indeed the one configured on ISE Authorization policy for this user.

How to find user name in Radius?

Click in the Attribute Editor textbox and click the Subject icon. Scroll down until you find RADIUS User-Name attribute and choose it.

Is IPv4 the first IP address?

The Address Information section shows that the IP address assigned is indeed the first IP address available in the IPv4 local pool configured via FMC.

What is ACS in AD?

ACS can be configured to check the users in an AD database. Password expiry and change is supported whenMicrosoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used; see User Guide forCisco Secure Access Control System 5.4: Authentication in ACS 5.4: Authentication Protocol and IdentityStore Compatibility for details.

Does ACS support password expiration?

ACS supports both password expiry and password change for locally defined users. For example, you canforce newly created users to change their password at their next login, or you can disable an account on aspecific date:

Does LDAP work with SSL?

By default, Microsoft LDAP over SSL does not work. In order to enable this function, you must install thecertificate for the computer account with the correct key extension. See How to enable LDAP over SSL with athird−party certification authority for more details.

Introduction

Prerequisites

  • Requirements
    Cisco recommends that you have knowledge of these topics: 1. Basic knowledge of ASA CLI configuration and Secure Socket Layer (SSL) VPN configuration 2. Basic knowledge of remote access VPN configuration on the ASA 3. Basic knowledge of ISE and posture services
  • Components Used
    The information in this document is based on these software versions: 1. Cisco ASA software Versions 9.2.1 and later 2. Microsoft Windows Version 7 with Cisco AnyConnect Secure Mobility Client Version 3.1 3. Cisco ISE Version 1.2 with Patch 5 or later
See more on cisco.com

Background Information

  • The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user …
See more on cisco.com

Configure

  • Network Diagram and Traffic Flow
    Here is the traffic flow, as illustrated in the network diagram: 1. The remote user uses Cisco Anyconnect for VPN access to the ASA. 2. The ASA sends a RADIUS Access-Request for that user to the ISE. 3. That request hits the policy named ASA92-posture on the ISE. As a result, the ASA9…
  • Configurations
    Use this section in order to configure the ASA and the ISE.
See more on cisco.com

Verify

  • In order to confirm that your configuration works correctly, ensure that these steps are completed as described: 1. The VPN user connects to the ASA. 2. The ASA sends a RADIUS-Request and receives a response with the url-redirect and the url-redirect-aclattributes: 3. The ISE logs indicate that the authorization matches the posture profile (the first log entry): 4. The ASA adds a redirec…
See more on cisco.com

Related Information

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9