cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

581
Views
10
Helpful
4
Replies
Beginner

FTD 6.3 Posture support

Hi Community, 

 

Cisco released note for FTD 6.3 has not officially included posture in this version, would this create an issue with future support assuming we successfully implement posture?

 

Regards, 

4 REPLIES 4
VIP Advisor

Re: FTD 6.3 Posture support

Hi

Even if it's not supported, this doesn't mean it can't work. Like you said you have it working.
If you have any issues, you won't get any support and in a production environment it could be a big issue.

Now, we don't know when this feature will be there (even in 6.4 i believe it's not supported). If Cisco implement this feature in a different way it works in asa today, you'll probably have your actual config failing and you'll impact all users but again, this is an assumption. You're kind of gambling by deploying this feature without any support and if you make this call you are aware that potentially you can face some impacting issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Hall of Fame Master

Re: FTD 6.3 Posture support

The RADIUS + Change of Authorization (CoA) feature support in FTD 6.4 includes using ISE (as a RADIUS server) to assess posture and then send a CoA to FTD as a result of the posture assessment.

 

See @hslai 's posting here:

https://community.cisco.com/t5/firepower/ftd-remote-access-vpn-with-ise-posture/m-p/3848834

Highlighted
Beginner

Re: FTD 6.3 Posture support

Hi Marvin, 

 

Is that also true for the support for AnyConnect ISE posture in Firepower 6.4? The release notes for 6.3 and 6.4 doesn't state this explicitly, and the config guides for 6.3 and 6.4 are identical on support for ise posture 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_remote_access_vpns.html

 

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

  • Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.
  • Posture variants such as Hostscan and Endpoint Posture Assessment, and any Dynamic Access Policies based on the client posture.

 


Regards, 

Rick.

VIP Advisor

Re: FTD 6.3 Posture support

When doing posture, the assessment is done between the client and ise over anyconnect.
Between ftd and ise, you need coa, communication with ise and url redirect. The first 2 I'm sure these are working fine but for the last one (url redirect), not tested yet and not sure if that works.
Maybe @marvin has tested this last capability.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question