01-16-2019 01:51 PM
I have been struggling to find decent videos and documentation on how to actually get the posturing to work with my VPN setup.
We have the need to check for "compliance" on corporate machines before they get access to the network. So windows firewall, updates, AV checks, etc, etc.
We also have three AD groups that when authenticated via VPN and ISE it gives them different dACLs based on group membership.
Most examples I am seeing are "domain users" being authenticated, but that is a very broad scope.
Is posture included into the same policy set as the authentication for the VPN users? I assume it is, but I uncertain how to integrate it.
Currently I have authorization policy that is called "Users Unknown" and it states if you are part of the domain users group and the "WasMachineAuthenticated" true and the PostureStatus is unknown, and then it gets a user unknown authorization profile that is tied to a dACL.
But what makes a status unknown? If this is my first line rule everyone is going to hit it due to domain users. So how do I make sure my IT AD groups is the IT dACL and the CSR AD group is getting the CSR dACL?
01-16-2019 02:19 PM - edited 01-16-2019 02:20 PM
You have 3 states of posture when you starting using that condition:
So in full production your VPN rules may look like this:
It is the same setup for wired and wireless basically except wireless doesn't have DACLs.
01-16-2019 02:22 PM
If you are only testing with a specific AD group you rules would be:
01-16-2019 04:51 PM
01-16-2019 06:29 PM
I would read this if you haven't
That might help explain how things work. You can use the client provisioning portal to install the posture module, but I wouldn't. I would have it installed either by the ASA or SCCM (or whatever the client uses for software distribution).
01-17-2019 07:20 AM
No SCCM here, but how do you deploy using ASA, I thought you could only deploy the anyconnect client, the posture client is separate.
01-17-2019 08:52 AM
The information provided by Paul is accurate and helpful. To add some thoughts:
If you do not have SCCM you could always just add the Anyconnect Client into your image that you use to image your workstations. As for the PostureStatus EQUALS Unknown you can then use an authorization profile to redirect the user to the portal Paul mentioned. The portal will allow the user to download the posture module required for what you are attempting to accomplish. I actually use the portal in my environment and it works great.
For additional policy conditions that you can use in your policies to make them more granular you can use:
Cisco-VPN3000-CVPN3000/ASA/PIX7-Tunnel-Group-NAME EQUALS 'your tunnel group client profile'
01-17-2019 11:28 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide