Solved: Re: ASA VPN posture and ISE

devvv85 · ‎08-07-2018

Hi Experts,

I am testing ASA VPN posture with ISE. Below are the details and my query:

ASA version: 9.8.2.39

ISE version: 2.3 patch 3

During testing, I found that the endpoint is getting postured correctly and endpoint is getting final access. However, on live logs I cannot see the final "compliant" policy being hit.

On CoA logs, I can see the compliant AuthZ profile being hit. However, actual compliant policy is not seen.

Please see attached file. The test_VPN_profile is the final compliant Authz profile. However, I cannot see the policy.

Would appreciate your reply.

devvv85 · ‎08-20-2018

Hi Nidhi/Thomas,

Thank you for your help. Worked with TAC and the behavior is expected.

All the attributes are sent in CoA itself, so final compliant policy is not seen.

Thanks again!!

View solution in original post

Jeffrey Jones · ‎08-07-2018

What version of the anyconnect client are you using?

Are the users connecting ?

Jeff

devvv85 · ‎08-07-2018

Hi Jeff,

Yes, users are able to connect without any issue. Everything is working fine.

It is just that after the CoA log, I cannot see final compliant policy in live logs. Not sure if this is expected behavior.

I am using 4.5.04029 AnyConnect version.

Thanks!

Nidhi · ‎08-10-2018

The live logs and live sessions should show the compliant policy hit.

If everything is configured correctly and you also see the dACL applied in switch, need to look at the detail debug logs to check if anything is missing. Please work with TAC to debug this.

Thanks,

Nidhi

Nidhi · ‎08-10-2018