topic Re: Disconnect anyconnect vpn if ISE posture not compliant in Network Access Control

Disconnect anyconnect vpn if ISE posture not compliant

xbill42 — Wed, 22 Jul 2020 14:53:53 GMT

Hi,

I have a Firepower in ASA mode (9.14) for anyconnect VPN and cisco ISE for posture (Apex license).

I am trying to find if there is an option to force the VPN session to disconnect if the posture is not compliant.

For the moment when the PC is not compliant there is just the DACL pushed by the ISE to the firewall that prevents access to the network, but now I need to just disconnect the VPN if it's not compliant.

Does this feature exist, and how do I configure it ?

Best regards

Re: Disconnect anyconnect vpn if ISE posture not compliant

Mike.Cifelli — Wed, 22 Jul 2020 20:06:11 GMT

Does this feature exist, and how do I configure it ?
-AFAIK this is not possible. You could take a peek to see if you can identify some sort of advanced attribute to reference in your non-compliant authz profile. My question is why does this matter if you have a working solution to restrict access for non-compliant hosts? The only thing I can quickly think of is a licensing concern? IMO you would think (if possible depending on your posture checks) you would want to allow some sort of remediation for these hosts that then allows them to re-scan to get full network access. Lastly, I would think that a generic user would continue to attempt to get on the VPN pending disconnect.

Re: Disconnect anyconnect vpn if ISE posture not compliant

xbill42 — Thu, 23 Jul 2020 08:49:12 GMT

Hi,

We check for specific running process on corporate computers. If the process is not running it means that the client corporate computer is not configured properly or have a big problem (they would have to call the IT support and maybe bring their PC for checking etc...)

Why does it matter : there is no point that they stays connected to the tunnel with a deny ACL that allows access to nothing.

Best regards

Re: Disconnect anyconnect vpn if ISE posture not compliant

Rob Ingram — Thu, 23 Jul 2020 11:42:30 GMT

Hi,
I've not tried this but, create and AuthZ rule and match on Session-PostureStatus EQUALS NonCompliant and result Access-Reject.

Re: Disconnect anyconnect vpn if ISE posture not compliant

xbill42 — Fri, 07 Aug 2020 13:48:30 GMT

Hi,

I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.

I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.

This is a strange "feature" but it is what it is.

Best regards

Re: Disconnect anyconnect vpn if ISE posture not compliant

Rob Ingram — Fri, 07 Aug 2020 17:05:19 GMT

If TAC confirm there is no official method, you could configure the "Session-Timeout" and push that out in the AuthZ profile, this will define a short max session and disconnect once expires.

Re: Disconnect anyconnect vpn if ISE posture not compliant

xbill42 — Wed, 12 Aug 2020 08:48:25 GMT

Hi,

The Session-Timeout is not taken into account by the ASA, I don't see the max session value changed after receiving the COA.

The DACL is received on the other hand.

I'll try to push a whole group-policy with a short max session timeout.

Best regards

Re: Disconnect anyconnect vpn if ISE posture not compliant

Rob Ingram — Wed, 12 Aug 2020 15:08:12 GMT

Yes it is, I've tested it. It depends on what you configured. The problem with that command is the lowest value is 1 minute, so the user would be connected for 1 minute before being disconnected.