topic Re: ISE HAVE to use AnyConnect - just a confirmation in Network Access Control

ISE HAVE to use AnyConnect - just a confirmation

steven#13 — Mon, 10 Feb 2020 17:25:27 GMT

I know this is relatively a "dumb" question, but just wanted to be sure because someone put doubt in my head. Actually, two questions to ensure absolute clarity.

1. Will Cisco ISE ONLY work with AnyConnect, specifically for the posture and other modules to deliver the rules and profiles "to and from" ISE? Meaning no other "third-party" resource delivery agent would work.

2. Assuming the answer to number 1 is "Yes," then the question is: while you need AnyConnect "as a tool of ISE," are you required to only use AnyConnect specifically for the VPN service/connection? Meaning, you can have a different VPN solution (say, OpenVPN) for the actual "tunnel"/protection of the connection, but you still have to have AnyConnect installed and configured to work with ISE for the profile access rules, correct?

Re: ISE HAVE to use AnyConnect - just a confirmation

Francesco Molino — Mon, 10 Feb 2020 18:58:52 GMT

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Re: ISE HAVE to use AnyConnect - just a confirmation

steven#13 — Thu, 13 Feb 2020 19:38:10 GMT

Thank you, that is helpful information. I guess what I'm focussing on is pushing out network access based on specific profiles within ISE which will determine what that person can access or if accessing from a non-domain joined computer it would read that and then could limit access. I guess determination of the type of device from which the user is connecting could only be determined from the Posture through AnyConnect. However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?

Re: ISE HAVE to use AnyConnect - just a confirmation

Mike.Cifelli — Thu, 13 Feb 2020 19:55:25 GMT

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

Re: ISE HAVE to use AnyConnect - just a confirmation

Francesco Molino — Fri, 14 Feb 2020 03:06:38 GMT

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.