Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1500
Views
0
Helpful
1
Replies

ISE: 2.3 Using CVPN3000/ASA/PIX7x-Tunnel-Group-Name Atrribute Not Working for ISE Posture Condition

misinsuan2229
Level 1
Level 1

‎09-11-2019 05:37 PM

We are configuring ISE posture to be implemented to Anyconnect VPN. Decided to use tunnel-group-name condition to have separate posture policy between tunnel groups, but the issue is the attribute looks to be not working. 

 

I already checked in Live Logs and we are using the correct attributes CVPN3000/ASA/PIX7x-Tunnel-Group-Name then tried (Equals,Matches,Starts,Contains) to our vpn-group name but is failing to work. Checked that vpn-group name sent from ASA to ISE live logs is correct.

0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-12-2019 05:25 AM

You need to define that in the Client Provisioning Policy. It would look something like this:

If {identity group:any} and Windows ALL and {CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS YOUR GROUP} then AnyConnect Configuration

Under your policy element (results) configure the AnyConnect Configuration for the VPN module and the proper profile selection for ISE Posturing.

I use this type of setup for all VPN users and differentiate based on the tunnel group name.

Good luck & HTH!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents