View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 2)

SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 2)

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video extends our previous Cisco ISE 1.3 posture assessment to remote VPN users. The goal is to have our VPN user subject to the same set of posture checks to enforce consistent network access experience regardless of user locations. Using the same posture policies with ClamWin Antivirus, we will concentrate on configuration on ASA, and authorization policy on ISE to support remote VPN authentication. We will be using AnyConnect client with ISE posture module on Windows for testing.
 
Part 2 of this video focuses on testing of posture assessment over AnyConnect VPN
 
Pre-requisite
  • Cisco ASA running version 9.2 or later with basic AnyConnect VPN
Topic:
  • Posture Assessment on AnyConnect VPN
  • Active Directory User Group Selection
  • Network Device
  • Policy Set
  • Authentication Policies
  • Authorization Policies
  • Client Provisioning Policies
  • Policy Elements
    • Results (Authorization Profile, dACL, RADIUS class)
  • ASA Change of Authorization (CoA)
  • Cisco AnyConnect Client with ISE Posture Module (Windows)
  • Posture Compliant/Non-Compliant/Unknown States
  • ClamWin Antivirus
Relevant Videos:
Tag: 
ISE
ise 1.3
vpn
posture
anyconnect
coa
asa
posture module

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

6 comments

Submitted by kodat on Thu, 10/01/2015 - 09:06

I could not find Avast! on the list of AV vendor on ISE 1.3 .what can i do and can i add a new Vendor manually.

Thanks,
KO

Submitted by admin on Sat, 10/03/2015 - 05:54

Try to run a posture update first and if it is still not there, the vendor might not be supported. Don't believe you can add it manually neither

Submitted by Ditmar Tavares on Thu, 12/17/2015 - 10:42

I trying to conduct a posture assessment on the user when they VPN using anyconnect.
the issue is the DACL that I'm applying when the posture is compliant.

if the DACL states permit ip any any, then the VPN works fine.

but I want to give only access to few subnet after the posture is compliant, so my DACL looks like

permit upd any any eq 53
permit tcp any any eq 53
permit ip any host PAN
permit ip any Subnet 0.0.0.255

as soon I apply the righ DACL I want to enforce, after the posture assessment finished the users are bounced off and on the lost history for the anyconnect it shows.

"The secure gateway has terminated the VPN connection. The following message was received from the secure gateway: COA initiated "

Submitted by admin on Thu, 12/17/2015 - 23:08

The subnet mask should be regular subnet mask and not inverse for an ASA.

Submitted by R409994 on Fri, 12/27/2019 - 01:00

Hi Metha .... How to Differentiate the Posture Assignment for Local and VPN Users in ISE 2.2

I Just created Posture policy for local users , but i don't want to use the same policy for VPN users. when i create new policy for VPN users its taking local users conditions also in posturing .

Please suggest me how to differentiate there two users.

Regards,
Ram Mohan
India,

Submitted by admin on Wed, 01/01/2020 - 19:13

You need to use a condition that only matches one or the other. One that you can potentially use is RADIUS NAS-port-type as that should be unique between .1x and VPN.