topic ISE-VPN-Posture-Issue in Network Access Control

ISE-VPN-Posture-Issue

Neelesh Marathe — Wed, 22 Jun 2016 16:30:04 GMT

Team,

I am working with one of the customers for ISE POC-VPN-Posture. Following is the Lab setup

1. ISE 2.0 patch 3 (Standalone)

2. Anyconnect 4.3 / 4.2 ( I have defined discovery host in posture profile)

Posture checks and remediation is working as expected on domain laptops. But we are observing following with respect to posture module.

1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation.

2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network.

3. On non-domain laptops, getting no policy server found.

Could you please throw some light on this. Am I missing something?

Thanks,

Neelesh Marathe

Re: ISE-VPN-Posture-Issue

thomas — Thu, 23 Jun 2016 15:34:17 GMT

Neelesh, I've asked our AnyConnect and Posture TMEs to review this and provide a response.

Re: ISE-VPN-Posture-Issue

pcarco — Thu, 23 Jun 2016 16:00:25 GMT

Hello,

I need some clarification.

"1. When we disconnect the VPN connection, posture assessment kicks in again and does the all the posture checks and remediation."

Is the test machine for VPN on the 'Outside' interface security level 0 of the ASA with no access to the internal' Inside' security level 100 unless VPN is established ?

"2. When we connect to any other non-posture VPN profile (different ASA, different radius server), posture assessment kicks in and does all the posture checks and remediation. But it does not affect the connectivity even it shows non-compliant. Discovery host is reachable from all other VPN profiles and Lan network."

You do mean Tunnel-group/Connection profile - correct ? Can you email me the ASA configuration directly it may help clear things up.

"3. On non-domain laptops, getting no policy server found."

With the vpn established to ASA ?

Thank you

Paul

Re: ISE-VPN-Posture-Issue

Neelesh Marathe — Fri, 24 Jun 2016 06:18:06 GMT

Hello Thomas,

Thanks..

Hello Paul,

Please find my answers

Is the test machine for VPN on the 'Outside' interface security level 0 of te ASA with no access to the internal' Inside' security level 100 unless VPN is established ? We only have one Inside interface on ASA. Public IP address is natted to this Inside interface IP address on Checkpoint which is installed before ASA. So its a same interface scenario. Radius and other traffic comes in and goes out from same interface.

You do mean Tunnel-group/Connection profile - correct ? Can you email me the ASA configuration directly it may help clear things up. - Correct. I have asked customer to share running configuration. I dont have access to ASA. I am also not sure if customer will share ASA config.

With the vpn established to ASA ? Yes after VPN established.

Thanks,

Neelesh Marathe

Re: ISE-VPN-Posture-Issue

Neelesh Marathe — Mon, 27 Jun 2016 09:59:21 GMT

Hello Paul,

Could you please provide you inputs. I have responded to your queries. I dont have ASA running config yet. Once I get I will provide it to you

Thanks,

Neelesh Marathe

Re: ISE-VPN-Posture-Issue

pcarco — Mon, 27 Jun 2016 20:45:53 GMT

Hello,

In my opinion I think this topology is only going to complicate troubleshooting this and without the ASA configuration it is even more difficult. Why are they only using a single interface for VPN ?

1.) what network is the endpoint on when establishing the vpn session - is this the same network as ISE ?

2.) What is the local ip pool or dhcp scope assigned to the user when the session is established ? - Is this the same network as ISE and the same network that they established the session from ?

Please send the ASA configuration ASAP. If they dont want to share then maybe they should open a TAC case and do a webex with them to troubleshoot this.

Best regards,

Paul

Re: ISE-VPN-Posture-Issue

Neelesh Marathe — Sun, 03 Jul 2016 16:14:17 GMT

Hello Paul,

Problem seems to be resolved after configuring ISE-group in radius-accounting configuration in ASA

Thanks,

Neelesh Marathe

Re: ISE-VPN-Posture-Issue

pcarco — Tue, 12 Jul 2016 19:05:25 GMT

Good to hear its resolved.

Best regards,

Paul