You are here
SEC0279 - ISE 2.2 Posture Assessment with AnyConnect Client (Part 4)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video looks at posture assessment with AnyConnect on Cisco ISE 2.2. The main focus will be new posture checks introduced in recent ISE version, App Collection, Windows Firewall and Anti-Malware. Using wired Windows 10, we will step through the posture assessment process, starting with AnyConnect download, and, test auto-remediation to bring the machine to a compliant state. The video closes with ability to control applications with App Control.
Part 4 of this video covers final testing with remediation, and App Control
Topic:
- Posture Workcenter
- Authorization Policies
-
Policy Elements
- Results (Authorization Profile, dACL, VLAN)
- Client Provisioning Policies
- Client Provisioning Portal
- AnyConnect Posture Profile and Configuration
- Cisco AnyConnect Client with ISE Posture Module (Windows)
- Posture Compliant/Non-Compliant/Unknown States
-
Posture Policies
- App Collection
- Windows Firewall
- Windows Defender Anti-Malware
- Posture Remediation
- Application Control
2 comments
AnyConnect Access with Profile Based
We are planning to use the AnyConnect by tagging the user IDs to AD Security Groups that would have access only to specific applications. And also to tag those AD groups to the VPN XML profiles to create the required Secure Virtual Access (SVA). On top of it, we are also planning to restrict access at an IP level for the VPN clients on the ASA only to specific applications
Please provide with your valuable suggestion and guidelines of how to implement this setup.
AnyConnect Access with Profile Based
You would have an AAA server like ISE integrated with AD and upon successful user auth, ISE look up AD group membership and return appropriate Group Policy and DACL to ASA. Under Group Policy, you can have it mapped to Client Profile XML. If you are ok restricting by protocol/port, using ACL is fine. If you want true application inspection, you need L4-7 FW like Firepower/FTD.