View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0195 - Video Download $11.00
Purchase SEC0195 - Video Download $11.00
The video extends our previous Cisco ISE 1.3 posture assessment to remote VPN users. The goal is to have our VPN user subject to the same set of posture checks to enforce consistent network access experience regardless of user locations. Using the same posture policies with ClamWin Antivirus, we will concentrate on configuration on ASA, and authorization policy on ISE to support remote VPN authentication. We will be using AnyConnect client with ISE posture module on Windows for testing.
Part 2 of this video focuses on testing of posture assessment over AnyConnect VPN
  • Cisco ASA running version 9.2 or later with basic AnyConnect VPN
  • Posture Assessment on AnyConnect VPN
  • Active Directory User Group Selection
  • Network Device
  • Policy Set
  • Authentication Policies
  • Authorization Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, RADIUS class)
  • ASA Change of Authorization (CoA)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus
Relevant Videos:

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


I could not find Avast! on the list of AV vendor on ISE 1.3 .what can i do and can i add a new Vendor manually.


Try to run a posture update first and if it is still not there, the vendor might not be supported. Don't believe you can add it manually neither

I trying to conduct a posture assessment on the user when they VPN using anyconnect.
the issue is the DACL that I'm applying when the posture is compliant.

if the DACL states permit ip any any, then the VPN works fine.

but I want to give only access to few subnet after the posture is compliant, so my DACL looks like

permit upd any any eq 53
permit tcp any any eq 53
permit ip any host PAN
permit ip any Subnet

as soon I apply the righ DACL I want to enforce, after the posture assessment finished the users are bounced off and on the lost history for the anyconnect it shows.

"The secure gateway has terminated the VPN connection. The following message was received from the secure gateway: COA initiated "

The subnet mask should be regular subnet mask and not inverse for an ASA.

Hi Metha .... How to Differentiate the Posture Assignment for Local and VPN Users in ISE 2.2

I Just created Posture policy for local users , but i don't want to use the same policy for VPN users. when i create new policy for VPN users its taking local users conditions also in posturing .

Please suggest me how to differentiate there two users.

Ram Mohan

You need to use a condition that only matches one or the other. One that you can potentially use is RADIUS NAS-port-type as that should be unique between .1x and VPN.

Lab Minutes Classifieds