Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2234
Views
0
Helpful
3
Replies

Cisco ISE integration with the VPN Solution for Posture Assessment

Go to solution
Jithishkk1514
Level 1
Level 1

‎09-24-2020 07:06 AM

Hi All,

 

We need a few clarifications with respect to the Cisco ISE deployment.

 

Summary:

  • Cisco ISE is to be deployed for Authenticating the Endpoints located at the Remote / Branch Offices.
  • The Customer currently provides access to the Internal resources users working from home (both Employees and Contractors.) via the Citrix VDI.
  • The Customer has the Cisco ASA as the Perimeter Firewall configured in HA.
  • There is no SSL / Remote Access VPN configured on the ASA.

 

Queries:

  1. Is there any solution which Cisco ISE supports for posture assessment of Endpoints connected through Citrix VDI.
  2. What are the other VPN Solutions with Cisco ISE can be integrated with for posture assessments.?
  3. What licenses would be required for VPN  setup and posture assessment of the endpoints.
    1. Cisco ASA
    2. Cisco ISE
  4. Also, we would like to know how the AnyConnect Apex License is consumed for VPN Posturing using AnyConnect client.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-24-2020 08:26 AM

  1. Is there any solution which Cisco ISE supports for posture assessment of Endpoints connected through Citrix VDI.

-As long as the AnyConnect probe can reach ISE I dont see this being an issue.

  1. What are the other VPN Solutions with Cisco ISE can be integrated with for posture assessments.?

-Please see here for further details on posture capabilities, design, and workflows: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

  1. What licenses would be required for VPN  setup and posture assessment of the endpoints.
    1. Cisco ASA - AnyConnect Plus or AnyConnect Apex (see here for more detail: https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html)
    2. Cisco ISE - ISE base and ISE apex
  2. Also, we would like to know how the AnyConnect Apex License is consumed for VPN Posturing using AnyConnect client.

-Licenses are consumed on a per session basis.  Assuming your question is referencing ISE license consumption, then for each established vpn session that was subject to ISE posture assessment an ISE base and ISE apex license will be consumed.  So for example: 10 users subject to ISE posture assessment = 10 ISE base & 10 ISE apex session licenses.

 

HTH!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-24-2020 08:26 AM

  1. Is there any solution which Cisco ISE supports for posture assessment of Endpoints connected through Citrix VDI.

-As long as the AnyConnect probe can reach ISE I dont see this being an issue.

  1. What are the other VPN Solutions with Cisco ISE can be integrated with for posture assessments.?

-Please see here for further details on posture capabilities, design, and workflows: https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

  1. What licenses would be required for VPN  setup and posture assessment of the endpoints.
    1. Cisco ASA - AnyConnect Plus or AnyConnect Apex (see here for more detail: https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html)
    2. Cisco ISE - ISE base and ISE apex
  2. Also, we would like to know how the AnyConnect Apex License is consumed for VPN Posturing using AnyConnect client.

-Licenses are consumed on a per session basis.  Assuming your question is referencing ISE license consumption, then for each established vpn session that was subject to ISE posture assessment an ISE base and ISE apex license will be consumed.  So for example: 10 users subject to ISE posture assessment = 10 ISE base & 10 ISE apex session licenses.

 

HTH!

0 Helpful

Go to solution
Jithishkk1514
Level 1
Level 1
In response to Mike.Cifelli

‎09-25-2020 07:48 AM

Hi Mike,

Currently VPN is not established by AnyConnect agent as per the current design, Customer currently provides access to the Internal resources as users working from home (both Employees and Contractors) via the Citrix NetScaler VDI and Citrix NetScaler VPN Adapter agent.

 

Does Cisco ISE supports for posture assessment of Endpoints connected through Citrix NetScaler VDI and Citrix NetScaler VPN Adapter agent?

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to Jithishkk1514

‎09-27-2020 09:09 PM

ISE cannot posture endpoints with an AnyConnect agent unless they are authenticating to a network device (wired, wireless, VPN). My understanding with VDI is you can simply use a web browser (HTTPS) and not need to do any VPN or care about the posture of the endpoint doing HTTPS to the VDI server.

If you are doing something different, please be very specific about how you are connecting remote endpoints and with which protocols at each step.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents