topic Re:VPN inline posture using iPEP ISE and cisco ASA in Network Access Control

VPN inline posture using iPEP ISE and cisco ASA

yong khang NG — Mon, 11 Mar 2019 02:35:39 GMT

Hi All,

would like to check out these 2 question from you all:

Question 1:

For VPN inline posture using iPEP ISE and cisco ASA. Is it mandatory for endpoint VPN client must go through client provisioning and posture after authentication?

Can i just simplify the process as: authentication success, CoA comply to setting AuthZ profile, Full access.

Question 2:

For design perspective (VPN inline posture using iPEP ISE and cisco ASA platform):

For the Remote Access VPN (VPN client using AnyConnect secure mobility client), we will configuring the AnyConnect client profile for VPN client on PRE-login phase.

What's the practice for Post-Login phase authorization policy provision? Is it the only option after the CoA happen VPN user are provision with the authorization profile and dACL from ISE policy service node?

Can we still inherit or use the setting on AnyConnect Client profile's group policy?

Is there any document discussing about this topic: authorization policy for post-login in the environment of VPN inline posture using iPEP, ISE policy service node serve as central policy?

It's lovely if you share the relevant reference URL regarding this topic.

My platform using these device and version

a. ISE 3355, ISE version 1.1

b. ASA 5520, ASA version 8.4.2

Thanks

Noel

Re:VPN inline posture using iPEP ISE and cisco ASA

Tarik Admani — Wed, 26 Sep 2012 12:56:51 GMT

Noel,

It is not mandatory to deploy an inline node if you are only performing authentication.

If you want to download acls to the client to restrict access you can do that from the central psn.

The entire purpose of ipep is to dynamically change the user access through change of authorization at the inline.

Also the client must have a vpn session established before the ipep builds a session and determines it access policy.

Let me know if this helps

Sent from Cisco Technical Support Android App

VPN inline posture using iPEP ISE and cisco ASA

yong khang NG — Thu, 27 Sep 2012 02:07:17 GMT

Hi Tarik,

Thanks for your reply. But my concern is on the POST-LOGIN phase authorization part.

Can ISE policy service node able to perform the feature of what ASDM remote access VPN anyconnect's group policy can do? example split tunnel.

Thanks

Noel

Re:VPN inline posture using iPEP ISE and cisco ASA

Tarik Admani — Thu, 27 Sep 2012 02:19:28 GMT

Are you trying to assign accesslist to users?

If so you can do this through radius and do not need ipep.

Ipep us only for coa. Here is an example of what I use ipep for.

I establish a vpn connection. I hit a remediation policy, the asa routes all my traffic to the ipep (at this point the asa is done authenticating) now the ipep is enforcing the remediation policy by redirecting all my traffic to the policy service node (via a downloadable acls defined on ise remediation policy), and allowing me access to mcafee server and windows update server in case I am out of compliance.

After I meet the requirements the agrnt report let's ise know I am compliant and coa is sent to ipep where my access is elevated to a compliant policy. Ipep applies a new accesslist to my session and removes the redirection policy.

Thanks

Sent from Cisco Technical Support Android App

Re:VPN inline posture using iPEP ISE and cisco ASA

yong khang NG — Wed, 17 Oct 2012 12:04:17 GMT

Hi Tarik,

First of all thanks for the reply. Here's some follow up question on my question.

Would like to make some amendment on my business requirement.

01. It is a 2 factor authentication, where user credential validate on external ID store (AD) and RSA token. Agent is using AnyConnect client VPN.

This part i a bit confuse. How's the authentication sequence look like? Because i am thinking when IPEP and PSN done on the RADIUS Access request and Access, then only do the RSA SDI challenge?

After this part done, there's posture validation checking either user install NAC agent. If Yes then only grant access to the network.

02. Since this involve RADIUS authentication, so where i can create the authorization profile for the user? Can ISE PSN authorization doing split tunnel this kind of feature? (is it need to configure customize AV-Pair attribute etc for this?)

03. Please suggest and comment, with the business requirement of

a. 2 factor authentication (RSA, Exrternal ID store)

b. Using ISE PSN for authorization profile (Instead of ASA)

c. posture checking on NAC agent installed.

Client OS were all WINDOW 7 64 bit.

Attached topology1.png diagram for reference

Thanks

VPN inline posture using iPEP ISE and cisco ASA

Tarik Admani — Wed, 17 Oct 2012 16:26:01 GMT

Hi,

These are questions that I am not able to answer at the moment since I havent had a chance to lab these up. However if you are an ATP partner and are looking for help, you can wait for someone who can chime in on the forums or use the Partner help desk:

http://www.cisco.com/web/partners/tools/pdihd_faqs.html

Or you can open a TAC case to get this issues resolved much faster.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re:VPN inline posture using iPEP ISE and cisco ASA

vikasyad — Fri, 24 May 2013 03:20:22 GMT

Please review the below link which might be helpful as this is already on support forum:

https://supportforums.cisco.com/docs/DOC-24412

http://www.cisco.com/image/gif/paws/115724/vpn-inpost-asa-00.pdf