You are here
SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video extends our previous Cisco ISE 1.3 posture assessment to remote VPN users. The goal is to have our VPN user subject to the same set of posture checks to enforce consistent network access experience regardless of user locations. Using the same posture policies with ClamWin Antivirus, we will concentrate on configuration on ASA, and authorization policy on ISE to support remote VPN authentication. We will be using AnyConnect client with ISE posture module on Windows for testing.
Part 1 of this video shows configuration on ISE to support remote VPN authentication, and authorization
Pre-requisite
- Cisco ASA running version 9.2 or later with basic AnyConnect VPN
Topic:
- Posture Assessment on AnyConnect VPN
- Active Directory User Group Selection
- Network Device
- Policy Set
- Authentication Policies
- Authorization Policies
- Client Provisioning Policies
-
Policy Elements
- Results (Authorization Profile, dACL, RADIUS class)
- ASA Change of Authorization (CoA)
- Cisco AnyConnect Client with ISE Posture Module (Windows)
- Posture Compliant/Non-Compliant/Unknown States
- ClamWin Antivirus
Relevant Videos:
6 comments
ISE IPN 1.2 with Ise 1.3 ??
Hi I`m planning to use ISE IPN 1.2 with Ise 1.3 and NAC agent 4.9.5.4 is that compatible ? if i want to use Any connect, what version is correct ?
ISE IPN 1.2 with Ise 1.3
IPN version needs to be the same as A/M node as it will need to be registered to it. Latest NAC Agent and AnyConnect 4.0+ should be supported.
Redirect not working, Need Help!
So I have followed your video on the ASA VPN ISE Posture check and on 2 different systems, I am still unable to get the redirect to work correctly.
This is my ACL_REDIRECT on the ASA 5505:
access-list ACL_REDIRECT extended deny udp any any eq domain
access-list ACL_REDIRECT extended deny ip any host 172.100.1.220
access-list ACL_REDIRECT extended deny ip any host 172.100.1.221
access-list ACL_REDIRECT extended permit tcp any any eq www
access-list ACL_REDIRECT extended permit tcp any any eq https
The dACL (VPN_ISE_AV_ONLY) looks like this:
permit udp any any eq 53
permit ip any host 172.100.1.220
permit ip any host 172.100.1.221
permit tcp any any eq 80
permit tcp any any eq 443
These are placed in an Authorization Profile called VPN_UNKNOWN with the following attributes:
Access Type = ACCESS_ACCEPT
DACL = VPN_ISE_AV_ONLY
cisco-av-pair = url-redirect-acl=ACL_REDIRECT
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=283258a0-...
Also, here is my aaa-server information:
aaa-server ISE protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server ISE (inside) host 172.100.1.220
key *****
Am I missing something here? For the life of me I can't get this thing to work. The redirect part is not working, not to mention that the ISE Posture Module does not appear to be working either, but I feel like that is directly related to the redirect not working.
***Edit:
I am running ISE 1.4 patch 3 and Cisco Adaptive Security Appliance Software Version 9.2(4).
Thanks,
Alex
Redirect not working, Need Help!
What does your "show vpn-s de any" look like? Do you see the ACL and redirect URL applied? Can you try no-split tunnel if not already? URL redirect needs to work for the AnyConnect ISE Posture agent to run.
Nevermind, it is working now.
Nevermind, it is working now. It wasn't the redirect afterall, it was the way my ASA VPN was configured. I have this in my lab and my test VM workstations and ISE were all on the ASA inside interface so no matter how I did it, I was unable to ping anything on the inside interface once I connected to the VPN until I issued the command "same-security-traffic permit intra-interface". I'm not as familiar with ASA as I should be, so I did not know that command needed to be issued. I'm sure it would have worked out of the gate if I would have been coming in from the outside interface.
Thanks again for your work! Your videos are really easy to follow and you do good work in them.
Yes.. Hairpinning traffic on
Yes.. Hairpinning traffic on ASA interface needs the same-security intra-interface command for it to work. Glad it worked out for you.