Check in the cisco anyconnect

Ben.Levin · ‎08-24-2015

I am finishing up configuring AnyConnect connectivity to an ASA 5545-X running 9.4.1. I have ISE 1.3 doing authentication and posture assessment successfully. However, I am looking for a way to have the ASA deny VPN access if the client computer is missing a registry key. I had this working successfully with a pre-policy check using hostscan 3.1 but the TAC is saying that this functionality is being phased out with the latest hostscan module. They are recommending not staying with hostscan 3.1. Their recommended solution is to use a DAP policy to check for the registry key.

However, there is an issue with using a DAP endpoint check at the same time as ISE posture assessment. When a client connects to the ASA, the DAP works successfully but then when the ISE posture assessment completes, the ASA terminates the VPN session. I believe this is an incompatibility between the ASA and ISE but I'm not clear on why it happens.

Has anyone run into this scenario? Is there a recommended solution to block non-authorized clients from establishing VPN sessions? TAC has suggested using ISE posture to check for authorized machines and I'm sure this would work from a technical perspective but non-authorized clients would still be able to connect to VPN and gain limited access to the network via the posture unknown and posture non-compliant ACLs.

Thank you.

Tarik Admani · ‎08-24-2015

Check in the cisco anyconnect administrator guide because you can not run the hostcan which comes with the ASA posture module and the ISE posture module which explains the issue you are running into.

The combined use of HostScan and ISE posture agent is not recommended because unexpected results occur when two different posture agents are running.

ASA AnyConnect DAP and ISE