topic Question about DACLS on ISE with AnyConnect Posture Checks in Network Access Control

Question about DACLS on ISE with AnyConnect Posture Checks

hurricane05 — Tue, 18 May 2021 13:01:42 GMT

Good afternoon. I'm working to understand more about DACLs using Cisco ISE to perform posture checks against our AnyConnect vpn clients. I understand I need to create a few different DACLs to allow/deny traffic based on the posture checks we create. In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL? More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?

Thx in advance for any assistance given.

Re: Question about DACLS on ISE with AnyConnect Posture Checks

Mike.Cifelli — Wed, 19 May 2021 12:10:01 GMT

In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL?

-For client provisioning web redirection, yes. You would configure the ACL on the FW, and then inside the authz profile select Web Redirection for posturing and paste in the ACL name so that the ASA knows what ACL to apply.

More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?

-ISE will send the remaining DACLs for compliant or noncompliant states to the ASA. These DACLs are created in ISE and do not need to be on the ASA. Just create them in ISE, and assign to compliant/noncompliant authz profiles.

A few oldies, but goodies:

ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco

How To: ISE and ASA Integration using CoA for Posture - Cisco Community

HTH!

Re: Question about DACLS on ISE with AnyConnect Posture Checks

hurricane05 — Wed, 19 May 2021 12:49:13 GMT

Thx for the feedback!!!