Using Cisco ISE you can apply variables such Downloadable ACL (DACL) or VLAN from an External Identity Source (e.g Active Directory) and apply these values during authorization. For example instead of defining multiple authorization rules such as – If AD:ExternalGroup membership equals “GroupName” then assign static attributes”DACL_1″ and “VLAN_1”.
The same can be achieved by extracting the attributes from an External Identity Source such as AD, resulting in 1 authorization rule instead of multiple.
Continue reading “ISE Dynamic Variables”
This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.
It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).
Define the ASA as a Network Device
- Navigate to Administration > Network Resources > Network Devices
- Create new by clicking Add and define the ASA
- Specify the INSIDE interface IP address of the ASA
- Tick the RADIUS Authentication Settings box
- Specify a shared secret, this will need to match on the ASA configuration
- Click Save
Continue reading “ASA AnyConnect SSL-VPN”