View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0195 - Video Download $11.00
Purchase SEC0195 - Video Download $11.00
The video extends our previous Cisco ISE 1.3 posture assessment to remote VPN users. The goal is to have our VPN user subject to the same set of posture checks to enforce consistent network access experience regardless of user locations. Using the same posture policies with ClamWin Antivirus, we will concentrate on configuration on ASA, and authorization policy on ISE to support remote VPN authentication. We will be using AnyConnect client with ISE posture module on Windows for testing.
 
Part 2 of this video focuses on testing of posture assessment over AnyConnect VPN
 
Pre-requisite
  • Cisco ASA running version 9.2 or later with basic AnyConnect VPN
Topic:
  • Posture Assessment on AnyConnect VPN
  • Active Directory User Group Selection
  • Network Device
  • Policy Set
  • Authentication Policies
  • Authorization Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, RADIUS class)
  • ASA Change of Authorization (CoA)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus
Relevant Videos:

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new Cisco technologies.

4 comments

I could not find Avast! on the list of AV vendor on ISE 1.3 .what can i do and can i add a new Vendor manually.

Thanks,
KO

Try to run a posture update first and if it is still not there, the vendor might not be supported. Don't believe you can add it manually neither

I trying to conduct a posture assessment on the user when they VPN using anyconnect.
the issue is the DACL that I'm applying when the posture is compliant.

if the DACL states permit ip any any, then the VPN works fine.

but I want to give only access to few subnet after the posture is compliant, so my DACL looks like

permit upd any any eq 53
permit tcp any any eq 53
permit ip any host PAN
permit ip any Subnet 0.0.0.255

as soon I apply the righ DACL I want to enforce, after the posture assessment finished the users are bounced off and on the lost history for the anyconnect it shows.

"The secure gateway has terminated the VPN connection. The following message was received from the secure gateway: COA initiated "

The subnet mask should be regular subnet mask and not inverse for an ASA.

Lab Minutes Classifieds