ā08-12-2017 10:47 PM - edited ā03-11-2019 12:56 AM
Dear all,
We have been tasked with a challenge of having ISE Posture (web agent) work on a client machine when connecting securely with a Clientless SSL VPN (browser), i know without an ip assigned to a client it would not be possible, but if anyone has pulled out some tricks on this one to make it work, kindly share the experience.
T&R
ā08-13-2017 01:47 AM
Hi Arjun,
I do not think it is supported.
Posturing is only supported with Anyconnect on ISE:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html
Regards,
Aditya
Please rate helpful and mark correct answers
ā08-13-2017 02:28 AM
Thank you for your responses, customer is a little reluctant about it not being mentioned anywhere on Cisco's documentation, if it is mentioned anywhere kindly share the document as i am not able to find one.
ā08-13-2017 02:48 AM
Cisco seldom lists all of the things that aren't supported as that list could be quite lengthy and will never be complete.
I'd point to the Admin Guide section on posture:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html
It states in part:
Clients interact with the posture service through the AnyConnect ISE Posture Agent or Network Admission Control (NAC) Agent on the endpoint...
That last clause is key. In clientless we do not, by definition, load any software to the endpoint
ā08-14-2017 01:32 AM
Thank you Marvin, i will try to explain the same to the customer, fingers crossed*
ā08-13-2017 02:05 AM
I agree with Aditya - it's not only unsupported, I don't believe it can be done. The clientless endpoint cannot be assessed by the ISE temporal (web) agent.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide