Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
3
Helpful
3
Replies

Anyconnect NON-complaint Machine with ISE 2.0

khaled alodat
Level 1
Level 1

‎02-10-2017 04:41 AM - edited ‎03-11-2019 12:27 AM

HI,

is there a way to force non complaint Anyconnect users to be redirected to WebVPN.

I have configured a posture to check domain machine based on an entry on RegEdit . if the machine is domain machine an authorization profile is assigned with full access. what i need is : if the machine is not domain machine (non-compliant) I need the user to use only webvpn (clientless).

technically i need the authorization profile to deny the connection (which is easy) but i need the user to be notified that he can only use the web version.

Thanks in advance .

Khaled 

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-10-2017 05:17 AM

Might not be exactly what you want, but you can try setting the default group policy for the tunnel group to have only the "clientless" vpn-tunnel-protocol. Users who match your posture condition and have authz policy can be assigned a different group-policy from ISE that has both "anyconnect" and "clientless" as vpn-tunnel-protocol. This won't redirect them to webvpn directly but wont allow them connection via anyconnect unless they have the right posture.

0 Helpful

khaled alodat
Level 1
Level 1
In response to Rahul Govindan

‎02-10-2017 06:19 AM

I thought about this solution but there is one problem with it. the COA does not allow you to resend a new authorization profile with different result. can i push a msg for users as part of the authorization profile? ex: non complaint devices --> deny access + MSG 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to khaled alodat

‎02-10-2017 10:39 AM

I believe during "Posture Unknown" state, you hit one authz policy and when you change to Compliant or Non-compliant, you get other attributes pushed out to you. The flow is defined here:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

You can use the remediation action to show a message when a posture condition fails, but the problem is that you are still in posture unknown state during that remediation state - which means you are not denied connection, but anything you send on the browser is redirected to the Client Provisioning page.

An easy way to do this is with DAP and hostscan on the ASA, where you can send a message and even allow "Access-Method" to be only Clienteles when a DAP policy (checking for posture) is not hit.

Customers Also Viewed These Support Documents