Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2782
Views
15
Helpful
5
Replies

FTD 6.3 Posture support

dfinibg6
Level 1
Level 1

‎05-06-2019 07:24 PM - edited ‎02-21-2020 09:06 AM

Hi Community, 

 

Cisco released note for FTD 6.3 has not officially included posture in this version, would this create an issue with future support assuming we successfully implement posture?

 

Regards, 

0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎05-06-2019 09:33 PM

Hi

Even if it's not supported, this doesn't mean it can't work. Like you said you have it working.
If you have any issues, you won't get any support and in a production environment it could be a big issue.

Now, we don't know when this feature will be there (even in 6.4 i believe it's not supported). If Cisco implement this feature in a different way it works in asa today, you'll probably have your actual config failing and you'll impact all users but again, this is an assumption. You're kind of gambling by deploying this feature without any support and if you make this call you are aware that potentially you can face some impacting issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-07-2019 01:46 AM

The RADIUS + Change of Authorization (CoA) feature support in FTD 6.4 includes using ISE (as a RADIUS server) to assess posture and then send a CoA to FTD as a result of the posture assessment.

 

See @hslai 's posting here:

https://community.cisco.com/t5/firepower/ftd-remote-access-vpn-with-ise-posture/m-p/3848834

rick505d3
Level 1
Level 1
In response to Marvin Rhoads

‎05-09-2019 07:14 PM

Hi Marvin, 

 

Is that also true for the support for AnyConnect ISE posture in Firepower 6.4? The release notes for 6.3 and 6.4 doesn't state this explicitly, and the config guides for 6.3 and 6.4 are identical on support for ise posture 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_remote_access_vpns.html

 

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

  • Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
  • Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

 


Regards, 

Rick.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rick505d3

‎05-09-2019 07:48 PM - edited ‎05-09-2019 07:55 PM

When doing posture, the assessment is done between the client and ise over anyconnect.
Between ftd and ise, you need coa, communication with ise and url redirect. The first 2 I'm sure these are working fine but for the last one (url redirect), not tested yet and not sure if that works.
Maybe @marvin has tested this last capability.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Peter Koltl
Level 7
Level 7

‎11-24-2020 05:34 AM

Can the PostureRedirectSGT be replaced to a final SGT by means of CoA ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card