How To: ISE and ASA Integration using CoA for Posture

thomas · ‎06-17-2016

This paper will focus on Identity Services Engine (ISE) ability to determine the endpoint state by doing a posture assessment. Before the release of ASA 9.2.1 VPN users requiring posture functionality required an Inline Posture Node (IPN) between the VPN infrastructure and the LAN protected network. With the release of ASA 9.2.1 we now have the ability to enforce policy the ASA and ISE has the ability to send a “policy push” after a posture assessment has taken place.

jsblendorio · ‎06-22-2017

Is there an update for the document for ISE 2.2?

thomas · ‎06-22-2017

Nothing has changed for ISE 2.2.

The fundamentals should remain the same.

Let us know if something no longer applies or is correct.

jsblendorio · ‎06-22-2017

On page 18, the should the NACagent 4.x continue to be used? This was replaced by ISE posture, right?

thomas · ‎06-22-2017

Right, AnyConnect with the Compliance module.

Please see How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

jsblendorio · ‎06-23-2017

Thanks, this is helpful.

stayd · ‎12-17-2024

ISE3.2p7/ASA9.20.7.3/POSTURE:

if you get CoA-NAK from ASA.

Check if your tunnel-group has just authentication and accounting and not authorizing. If you have also autohrizing in required tunnel-group, then remove it, then CoA between ISE and ASA will work.