cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
715
Views
1
Helpful
3
Replies

ASA / ISE Posture along w/ VPN phone

shjoiner
Cisco Employee
Cisco Employee

Hi -

This question is related to the following document:

How To Configure Posture with AnyConnect Compliance Module and ISE 2.0

How can you incorporate the VPN Phone capability into this ASA + ISE design?  Would you just create a separate group policy and group url that would be outside the ASA/ISE group policy for regular users?

Vpn phone - http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2013/CVD-VPNPhoneDesignGuide-AUG13.pdf

Thanks,
Shane

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

Hi Shane,

That would probably be the best solution.  One other possibility would be to use certificate based authentication with the phone and ASA but I'm not 100% sure if VPN phone supports that authentication method or not.

Regards,

-Tim

Yes, the phones already use Cert Authentication to the ASA.

hslai
Cisco Employee
Cisco Employee

Since the phones are using certificate authentication against ASA, there is no much to do with ISE. You could try authorize-only to ISE and see whether AnyConnect provides similar ACIDEX attributes as that for Windows and macOS or any other attributes usable by ISE to provide more granular authorization.