topic Re: ISE Profiling and Posturing support for PAN VPN users in Network Access Control

ISE Profiling and Posturing support for PAN VPN users

Vijaykumar Mittimani — Mon, 11 Dec 2017 19:48:58 GMT

Hello Experts!

I have a requirement where ISE needs to do Profiling and Posturing for VPN endpoints using PAN's GlobalProtect, I want your opinion on how to support Posturing and Profiling for VPN users connecting to the network using PAN's GlobalProtect. I have an assumption on the following info which I got from a Cisco Engineer.

Palo Alto does not support RADIUS CoA (Change of Authorization) [RFC-3576]. As a result, most advanced ISE features (Posture, BYOD, Profiling, etc) on VPN would not be supported when integrating with PAN
PAN does support standard RADIUS attributes. As a result, we can perform basic RADIUS based authentication for RA-VPN clients
PAN does support both RADIUS and TACACS+ for device administration. Thus, ISE can be configured to provide AAA services for PAN based administrators

Re: ISE Profiling and Posturing support for PAN VPN users

Jason Kunst — Mon, 11 Dec 2017 19:53:30 GMT

You are correct on all 3! The only posture integrated service we have is with Cisco based vpn concentrator (ex: ASA).

I don't think you will gain much visibility with profiling as well. I have asked another SME to be sure

Re: ISE Profiling and Posturing support for PAN VPN users

Craig Hyps — Mon, 11 Dec 2017 20:22:21 GMT

Currently that is correct. Without a way to trigger CoA, then user may be deemed posture compliant but no way to reauthorize after initial quarantine without manual intervention by user.