topic Re: VPN Posture Flexibility Question in Network Access Control

VPN Posture Flexibility Question

GQ — Sat, 17 Dec 2016 04:28:19 GMT

We're finding it difficult to put a specific use case into practice with the Posture options.

Employees + Corporate Assets = Posture checking and Remediation

Employees + BYOD devices = Posture checking with no Remediation (AV presence)

Contractors + Corporate Assets = Posture checking but no remediation (authZ denied)

Contractors + BYOD devices = Posture checking with no Remediation (AV presence) Same as Employees

The problem is by the time the posture policy is invoked for all of these use cases, there is no way to differentiate the user’s role from the endpoint they have. It wouldn’t be a problem except the remediations are different.

My solution so far has been that the contractors need their own ASA. The posture policy in ISE can use the ASA IP (or type/location) as a constraint to match the rule. Hopefully someone here has a more elegant solution. It seems like it should be doable but it isn’t looking obvious.

I was thinking it would be great if we had policy sets for the Posture policy. Maybe the authZ policy could cite Posture policyX for example.

Re: VPN Posture Flexibility Question

Charlie Moreton — Mon, 19 Dec 2016 14:38:38 GMT

You don't need an additional ASA for this. You can use a different Tunnel Group. You can then use that tunnel group to determine which Policy Set is used in ISE:

Taking it a step further, you can use the AD Group membership in the Authorization Policy to state that if a contractor connects to the Employee VPN tunnel, then they are either denied access or are redirected to a "Hotspot as a Message Portal" giving specific instruction on which VPN Group is to be connected.

You could also do the reverse with Employees connecting to the Contractor's VPN Tunnel.

Start here for the basic set up for the Hotspot as a Message configuration:

How To: ISE Web Portal Customization Options

Follow Exercise 1. When you get to Step 7, here is the script:

Also be sure to use any AD Group Memberships in the Posture Policy "Other Conditions" field to assign Posture Policies.

Then you can use Endpoint Identity Groups in the Authorization Policy to determine Corp Owned Devices.

I hope this makes sense.

- Charles Moreton

Re: VPN Posture Flexibility Question

GQ — Tue, 03 Jan 2017 17:19:35 GMT

The problem is how do you allow for Contractors using both corporate assets and BYOD devices? You have to use posture checks for that but the different posture checks can't be used as posture inputs. meaning

Contractors connect to Tunnel Group 'Contractors'

posture check looks for TG=Contractors + AD Group Contractors... but now I need two different postures. one is if it's a Corp asset then patches/AV/etc. If it's a BYOD device, only need AV.

By using a second ASA, the posture check can now be:

TG=Contractors + AD Group Contractors + ASA=Contractors

versus

TG=Contractors + AD Group Contractors + ASA=Employees

Trust me, the partner, TAC, and myself have looked it every which way. There just aren't a lot of selectable criteria in the Posture Policy for granular results like the customer wants.

Re: VPN Posture Flexibility Question

hslai — Wed, 18 Jan 2017 04:47:14 GMT

One of the features in the upcoming ISE release might help. I would suggest to join the ISE beta community, if not already done, to get more details.