https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433873#M88343 <HTML><HEAD></HEAD><BODY><P><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />For&nbsp; certain devices, you may want to bypass authentication, posture&nbsp; assessment, role assignment, or any combination thereof. Common examples&nbsp; of bypassed device types include printers, IP phones, servers,&nbsp; nonclient machines, and network devices. </P><P></P><P> <A name="wp1154251"></A></P><P> Inline Posture matches the MAC, MAC and IP, or subnet address to determine whether the bypass function is enabled for a device. You can choose to bypass policy enforcement or to forcibly block access. </P><P></P><P></P><HR /><P></P><P> <A name="wp1167364"></A></P><DIV> <STRONG>Caution </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="6" />Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP&nbsp; address, VPN clients are allowed to bypass policy enforcement. This&nbsp; bypass happens because the VPN is a Layer 3 hop for clients, and the&nbsp; device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node. </DIV></BODY></HTML> Thu, 06 Feb 2014 09:19:13 GMT Naveen Kumar 2014-02-06T09:19:13Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433871#M88341 <P>Hi,</P><P></P><P>I have the following setup for the VPN inline posturing:</P><P></P><P>VPN Users ----- ASA ----- ISE (ipep) ------ Core SW</P><P></P><P>On the ASA, I have 2 tunnel-groups, the 1st one uses the ISE as radius server, and the 2nd one is using local authentication, and they are sharing the same IP pool (ASA inside interface subnet).</P><P></P><P>When the users connect to tunnel-group with ISE, all is working fine, the NAC agent installed and users can access internal resources.</P><P>When any user connects to tunnel-group without ISE, he cannot access any internal resources, even that the routing and everything is configured.</P><P></P><P>The filter configuration here is only applied to ASA inside interface, when I add all the subnet to the filter configuration, we can access the inside VLANs but without we cannot.</P><P></P><P>Is this means that I do bypass posture assessment for all the traffic from this pool (with and without ISE)? or I need to have 2 seperate pools for that? The filter configuration is not that clear in this setup.</P><P></P><P>Thanks.</P><P>Ahmad. </P> Mon, 11 Mar 2019 04:21:05 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433871#M88341 Ahmad Murad 2019-03-11T04:21:05Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433872#M88342 <HTML><HEAD></HEAD><BODY><P>Please refer the ISE inline posture config. from</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html">http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html</A></P></BODY></HTML> Wed, 05 Feb 2014 09:00:43 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433872#M88342 Saurav Lodh 2014-02-05T09:00:43Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433873#M88343 <HTML><HEAD></HEAD><BODY><P><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />For&nbsp; certain devices, you may want to bypass authentication, posture&nbsp; assessment, role assignment, or any combination thereof. Common examples&nbsp; of bypassed device types include printers, IP phones, servers,&nbsp; nonclient machines, and network devices. </P><P></P><P> <A name="wp1154251"></A></P><P> Inline Posture matches the MAC, MAC and IP, or subnet address to determine whether the bypass function is enabled for a device. You can choose to bypass policy enforcement or to forcibly block access. </P><P></P><P></P><HR /><P></P><P> <A name="wp1167364"></A></P><DIV> <STRONG>Caution </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="6" />Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP&nbsp; address, VPN clients are allowed to bypass policy enforcement. This&nbsp; bypass happens because the VPN is a Layer 3 hop for clients, and the&nbsp; device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node. </DIV></BODY></HTML> Thu, 06 Feb 2014 09:19:13 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433873#M88343 Naveen Kumar 2014-02-06T09:19:13Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433874#M88344 <P>I have a similar scenario:</P><P>VPN users ----- ASA ----- ISE-ipep (HA) ----- Core SW</P><P>I have two pools for users. One pool (192.168.0.0/22) is intended for laptops with anyconnect authenticated by ISE (Internal – further would be AD). The second pool (192.168.4.0/22) is intended for mobile devices (smartphones and iDevices); authenticated by ASA certificates and bypassed in the IPN.</P><P>On the first tests, the laptops can be authenticated by ISE Internal DB, but users can’t access internal resources.</P><P>I think the problem may be originating in something extraneous I saw in the IPN routing table. On the GUI the route for 192.168.0.0/22 has the ASA interface as default gateway, but on the CLI the same route appears to not have default gateway.</P><P>I will appreciate any assistance.</P><P>Regards.</P><P>Daniel Escalante</P> Tue, 08 Apr 2014 00:04:48 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433874#M88344 descalante2007 2014-04-08T00:04:48Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433875#M88345 <P>Hi,</P><P>I solved this issue by splitting the ip pool (/24) to 2 * (/25) subnets, and assign each pool to a different tunnel-group.</P><P>On the ISE IPEP node, I did filter for the non-secure pool (non-secure tunnel-group) so the ISE will only pass this traffic without applying any policy on it.</P><P>I did that using the filters, and ensure that the routing us correct on the Core SW.</P><P>&nbsp;</P><P>The filter configuration is for the IP addresses, not MAC address.</P><P>I cannot remember the command on the pep CLI itself, that you can show the filters.</P><P>The idea that you need the traffic to pass through the IPEP without posturing, so you need to have split traffic, and apply filters.</P><P>&nbsp;</P><P>In case you need more help, you're welcome to ask.</P><P>&nbsp;</P><P>Thanks.</P><P>Ahmad.</P> Tue, 15 Apr 2014 11:44:07 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433875#M88345 Ahmad Murad 2014-04-15T11:44:07Z https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433876#M88346 <P>kindly check the link for step by step config for Inline.</P><P>http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115724-vpn-inpost-asa-00.html</P> Fri, 25 Apr 2014 18:17:40 GMT https://community.cisco.com/t5/network-access-control/ise-inline-vpn-posture/m-p/2433876#M88346 kaaftab 2014-04-25T18:17:40Z