topic Re: How to do Posture with a 3rd Party VPN solution in Network Access Control

How to do Posture with a 3rd Party VPN solution

bodonogh — Sun, 05 Apr 2020 17:31:32 GMT

Hi there,

for a customer with a 3rd party VPN solution in place, are there suggestions in how ISE may be able to provide more than just AAA capabilities?

Our customer would like for ISE to be able to check for a registry key, AV installed & Windows update for VPN clients before allowing them on dedicated trusted VLAN inside the VPN concentrator.

Looking for pointers in how we might approach this (we're unlikely to migrate them to ASA/Firepower in the short term).

Brian

Re: How to do Posture with a 3rd Party VPN solution

pavagupt — Mon, 06 Apr 2020 05:38:19 GMT

Posture functionality depends on CoA and url-redirection capabilities. Due to lack of support of CoA functionality and url-redirect in 3rd party vpn devices, posture functionality isn't supported. Make sure vpn devices does support this in order to move forward

Re: How to do Posture with a 3rd Party VPN solution

maf_1 — Wed, 13 Oct 2021 08:57:06 GMT

Foritgate Supports CoA. and it does some sort of URL redirection. What's the possibility in this case?

Re: How to do Posture with a 3rd Party VPN solution

pavagupt — Wed, 13 Oct 2021 11:23:04 GMT

in that case, as per earlier thread customer could make use of registry keys, AV installed and windows updates with the help of posture checks before allowing access to VPN users.

Basically, Once the user gets authenticated over VPN -- > gets postured using the posture policies in ISE -- > PSN raises CoA to give authorization as per compliance or non-compliance authz policies.

Re: How to do Posture with a 3rd Party VPN solution

maf_1 — Wed, 13 Oct 2021 12:26:31 GMT

that's how it should be theoretically, but what needs to be done on ISE in this regard?

Re: How to do Posture with a 3rd Party VPN solution

pavagupt — Wed, 13 Oct 2021 12:34:01 GMT

i am assuming you are talking about configuring Fortigate VPN under ISE. if so, you have to add Foritgate VPN as a Network Access device. Refer "ISE third party vendor support" section under http://cs.co/ise-guides.

Then you can create posture/authz policies in ISE as per customer requirement so as to posture VPN endpoints.

Re: How to do Posture with a 3rd Party VPN solution

maf_1 — Wed, 13 Oct 2021 12:41:36 GMT

trying to do this: Its for VPN User
User -> Fortiagate -> Fortiauthenticator (Synced with AD for MFA).
Now we have added ISE between this flow.
User -> Fortigate - > Cisco ISE (Synced with AD and Fortiauthenticator Configured as Radius Token) -> Fortiauthenticator (Synced with AD and used for MFA)

Authentication is working fine.