Cisco Cisco Identity Services Engine 1.0.4 Technisches Handbuch
FMC is configured with Access Control Policy containing two rules:
Deny for HTTP traffic with custom URL (attack-url)
●
Allow for HTTP traffic with custom URL (attack-url) but only if the user is assigned to Audit (9)
SGT tag by ISE
SGT tag by ISE
●
ISE decides to assign Audit tag to all Active Directory users that belongs to Administrator group
and uses ASA-VPN device for network access.
and uses ASA-VPN device for network access.
User accesses network via VPN connection on the ASA. The user then tries to access Audited
server using URL attack-url - but fails because he has not been assigned to Audit SGT group.
Once that is fixed, the connection is successful.
server using URL attack-url - but fails because he has not been assigned to Audit SGT group.
Once that is fixed, the connection is successful.
ISE
Active Directory
AD integration must be configured and the correct groups must be fetched (Administrators group
is used for authorization rule condition):
is used for authorization rule condition):
Network Access Device
ASA is added as a network device. Custom group ASA-VPN-Audit is used, as shown in this
image:
image: