ASA AnyConnect with ISE

Cisco ASA AnyConnect VPN integrates with Cisco ISE as a RADIUS server to authenticate remote users, where ASA forwards authentication requests to ISE, which then verifies user credentials against Active Directory or local identity source.

Here we have a working Cisco AnyConnect VPN deployment that authenticate against ASA’s internal users

ISE

To offload the authentication to ISE, first we’re gonna configure a Network Device Groups named VPN

Then add the ASA as a Network Device that’s part of the VPN Device Group

Then we use the VPN Grup as a condition for this new Policy Set

ASA

Now on ASA side, add ISE as a Radius Server

Run the authentication test for good measure

Then on AnyConnect Connection Profiles, we will create a new dedicated connection profile for users authenticating to ISE

Or if we’re modifying existing profile, all needs to be done is changing the AAA Server Group to from LOCAL to ISE

That should do it, now lets try connecting to VPN using ISE user to the ise_vpn connection profile / group

And we have successfully connected

On ISE, we can see the Radius Logs of the VPN user authenticating

Adding Dynamic ACL

We can also add DACL to the VPN users connecting, giving more granular contorl on which resource are allowed. First we add a DACL on ISE

Then add the DACL to the Authorization Profile

Now when we connect, we can only access the allowed resources stated on the DACL

And the

Dynamically Assign Group Policy

Other than giving dynamic ACL, we can also dynamically assign Group Policy for each connecting user. First let’s create a new Group Policy name ise_vpn_x thats not by default used by any Tunnel Group

This Group Policy has a different split tunnel ACL that only allow to specific hosts

Then on ISE, we can call this Group Policy on the Authz Profile

When we connect to the VPN, we get the ise_vpn_x Group Policy, we can also see we get some very specific routes because of the specific split tunnel ACL