cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

83
Views
0
Helpful
1
Replies
Beginner

ISE: 2.3 Using CVPN3000/ASA/PIX7x-Tunnel-Group-Name Atrribute Not Working for ISE Posture Condition

We are configuring ISE posture to be implemented to Anyconnect VPN. Decided to use tunnel-group-name condition to have separate posture policy between tunnel groups, but the issue is the attribute looks to be not working. 

 

I already checked in Live Logs and we are using the correct attributes CVPN3000/ASA/PIX7x-Tunnel-Group-Name then tried (Equals,Matches,Starts,Contains) to our vpn-group name but is failing to work. Checked that vpn-group name sent from ASA to ISE live logs is correct.

1 REPLY 1
Rising star

Re: ISE: 2.3 Using CVPN3000/ASA/PIX7x-Tunnel-Group-Name Atrribute Not Working for ISE Posture Condition

You need to define that in the Client Provisioning Policy. It would look something like this:

If {identity group:any} and Windows ALL and {CVPN3000/ASA/PIX7x-Tunnel-Group-Name EQUALS YOUR GROUP} then AnyConnect Configuration

Under your policy element (results) configure the AnyConnect Configuration for the VPN module and the proper profile selection for ISE Posturing.

I use this type of setup for all VPN users and differentiate based on the tunnel group name.

Good luck & HTH!