Hi all!
The company I work for has the following setup:
- ASA VPN
- ISE
- several subnets (/26-/30)
- Azure AD
- Integration between ASA and Azure AD via NPS server (MFA, AAA)
Each subnet is mapped to an Azure AD group via ISE (see SGT explanation below).
The business would like the anyconnect users to reach these subnets only when the user is member of the corresponding group, in a mix and match fashion. Example:
User 1 belongs to group A and B = can access both subnet A and B
User 2 belongs to group B = can only access B
(explained very similarly here)
SGT setup: In ISE, we map each subnet to its own SGT tag, and each AAD group to its own SGT tag. The ASA ruleset is therefore based on SGTs (src/dst) instead of IP/Subnet objects.
The big limitation in this approach is how the ASA sees the anyconnect user: when the user connects, it belongs to only one AAD group (SGT) at a time. This breaks the mix-and-match-multiple-groups requirement.
I have been searching for a solution to this need, and all I could find is the following:
- implement DAPs
- Multi-match authorization policy in ISE (https://community.cisco.com/t5/network-access-control/can-ise-asa-anyconnect-support-multiple-ad-group-membership/m-p/3503688/highlight/true#M540280)
- meta-groups containing several destination sgt/subnets at a time - best effort solution, business doesn't like
I am afraid both of the above would not scale, as we are talking of hundreds of subnets/ad groups and consequently SGT tags.
Any idea? I am willing to radically review the approach. My knowledge of ASA and ISE is not so extensive, I am sure I am missing some bits.
Thanks!
No comments:
Post a Comment