cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
0
Helpful
1
Replies

ASA AnyConnect DAP and ISE

Ben.Levin
Level 1
Level 1

I am finishing up configuring AnyConnect connectivity to an ASA 5545-X running 9.4.1.  I have ISE 1.3 doing authentication and posture assessment successfully.  However, I am looking for a way to have the ASA deny VPN access if the client computer is missing a registry key.  I had this working successfully with a pre-policy check using hostscan 3.1 but the TAC is saying that this functionality is being phased out with the latest hostscan module.  They are recommending not staying with hostscan 3.1.  Their recommended solution is to use a DAP policy to check for the registry key.

However, there is an issue with using a DAP endpoint check at the same time as ISE posture assessment. When a client connects to the ASA, the DAP works successfully but then when the ISE posture assessment completes, the ASA terminates the VPN session.  I believe this is an incompatibility between the ASA and ISE but I'm not clear on why it happens.

Has anyone run into this scenario?  Is there a recommended solution to block non-authorized clients from establishing VPN sessions?  TAC has suggested using ISE posture to check for authorized machines and I'm sure this would work from a technical perspective but non-authorized clients would still be able to connect to VPN and gain limited access to the network via the posture unknown and posture non-compliant ACLs.

Thank you.

1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

Check in the cisco anyconnect administrator guide because you can not run the hostcan which comes with the ASA posture module and the ISE posture module which explains the issue you are running into.

 

The combined use of HostScan and ISE posture agent is not recommended because unexpected results occur when two different posture agents are running.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: