You are here
SEC0195 - ISE 1.3 Posture Assessment on AnyConnect VPN (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video extends our previous Cisco ISE 1.3 posture assessment to remote VPN users. The goal is to have our VPN user subject to the same set of posture checks to enforce consistent network access experience regardless of user locations. Using the same posture policies with ClamWin Antivirus, we will concentrate on configuration on ASA, and authorization policy on ISE to support remote VPN authentication. We will be using AnyConnect client with ISE posture module on Windows for testing.
Part 2 of this video focuses on testing of posture assessment over AnyConnect VPN
Pre-requisite
- Cisco ASA running version 9.2 or later with basic AnyConnect VPN
Topic:
- Posture Assessment on AnyConnect VPN
- Active Directory User Group Selection
- Network Device
- Policy Set
- Authentication Policies
- Authorization Policies
- Client Provisioning Policies
-
Policy Elements
- Results (Authorization Profile, dACL, RADIUS class)
- ASA Change of Authorization (CoA)
- Cisco AnyConnect Client with ISE Posture Module (Windows)
- Posture Compliant/Non-Compliant/Unknown States
- ClamWin Antivirus
Relevant Videos:
6 comments
AV vendor (Avast)
I could not find Avast! on the list of AV vendor on ISE 1.3 .what can i do and can i add a new Vendor manually.
Thanks,
KO
Try to run a posture update
Try to run a posture update first and if it is still not there, the vendor might not be supported. Don't believe you can add it manually neither
posture compliant on VPN terminates the connection
I trying to conduct a posture assessment on the user when they VPN using anyconnect.
the issue is the DACL that I'm applying when the posture is compliant.
if the DACL states permit ip any any, then the VPN works fine.
but I want to give only access to few subnet after the posture is compliant, so my DACL looks like
permit upd any any eq 53
permit tcp any any eq 53
permit ip any host PAN
permit ip any Subnet 0.0.0.255
as soon I apply the righ DACL I want to enforce, after the posture assessment finished the users are bounced off and on the lost history for the anyconnect it shows.
"The secure gateway has terminated the VPN connection. The following message was received from the secure gateway: COA initiated "
posture compliant on VPN terminates the connection
The subnet mask should be regular subnet mask and not inverse for an ASA.
Differentiate the Posture Assignment for Local and VPN Users
Hi Metha .... How to Differentiate the Posture Assignment for Local and VPN Users in ISE 2.2
I Just created Posture policy for local users , but i don't want to use the same policy for VPN users. when i create new policy for VPN users its taking local users conditions also in posturing .
Please suggest me how to differentiate there two users.
Regards,
Ram Mohan
India,
Differentiate the Posture Assignment for Local and VPN Users
You need to use a condition that only matches one or the other. One that you can potentially use is RADIUS NAS-port-type as that should be unique between .1x and VPN.