Solved: There is nothing special in

Muhammad Anser Khan · ‎05-24-2016

Hi,

I need to achieve different level of remote vpn user access for the network.

I do have Cisco ASA 5520 (SSL VPN) that max support IOS version 9.1.x. It does not support 9.2.x so It does not support CoA (posturing & remediation).

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/compatibility/ise_sdt.html

! — Limited support, some functionalities are not supported for posturing.

Can I still use dACL for the remote vpn user?

Note: I have Cisco ISE 1.4. I do not want to use IPN and do not want to replace ASA firewall at the moment.

Regards,

Anser

Karsten Iwen · ‎05-25-2016

There is nothing special in this scenario. The ASA uses the ISE as RADIUS authentication-server. On the ISE you define an Authorization-profile for the VPN-user that includes a dACL. That's all.

View solution in original post

jan.nielsen · ‎05-24-2016

I you just want to push a dACL to the user when they login using AnyConnect, that shouldnt be a problem.

Karsten Iwen · ‎05-24-2016

I'm running this combination (well, recently upgraded to ISE 2.0). Works like a charm.

Muhammad Anser Khan · ‎05-25-2016

Hi,

I need to do downloadable ACL for remote VPN users. I can not move to ISE 2.0 due to hardware limitation.

Can you share the config example from ASA 5520 (9.1.x) side to ISE?

Regards,

Ahmed El-Shorman · ‎05-25-2016

Hi All ,

i have similar case here , if you can share a sample configuration on the ASA 5520 ( 9.1 os)

that allow me to push a DACL to the remote vpn user ,

Thanks

Karsten Iwen · ‎05-25-2016

There is nothing special in this scenario. The ASA uses the ISE as RADIUS authentication-server. On the ISE you define an Authorization-profile for the VPN-user that includes a dACL. That's all.

ASA5520 version 9.1.x and ISE 1.4 Limitations - dACL