Solved: Re: Disconnect anyconnect vpn if ISE posture not compliant

xbill42 · ‎07-22-2020

Hi,

I have a Firepower in ASA mode (9.14) for anyconnect VPN and cisco ISE for posture (Apex license).

I am trying to find if there is an option to force the VPN session to disconnect if the posture is not compliant.

For the moment when the PC is not compliant there is just the DACL pushed by the ISE to the firewall that prevents access to the network, but now I need to just disconnect the VPN if it's not compliant.

Does this feature exist, and how do I configure it ?

Best regards

xbill42 · ‎08-07-2020

Hi,

I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.

I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.

This is a strange "feature" but it is what it is.

Best regards

View solution in original post

Mike.Cifelli · ‎07-22-2020

Does this feature exist, and how do I configure it ?
-AFAIK this is not possible. You could take a peek to see if you can identify some sort of advanced attribute to reference in your non-compliant authz profile. My question is why does this matter if you have a working solution to restrict access for non-compliant hosts? The only thing I can quickly think of is a licensing concern? IMO you would think (if possible depending on your posture checks) you would want to allow some sort of remediation for these hosts that then allows them to re-scan to get full network access. Lastly, I would think that a generic user would continue to attempt to get on the VPN pending disconnect.

xbill42 · ‎07-23-2020

Hi,

We check for specific running process on corporate computers. If the process is not running it means that the client corporate computer is not configured properly or have a big problem (they would have to call the IT support and maybe bring their PC for checking etc...)

Why does it matter : there is no point that they stays connected to the tunnel with a deny ACL that allows access to nothing.

Best regards

Rob Ingram · ‎07-23-2020

Hi,
I've not tried this but, create and AuthZ rule and match on Session-PostureStatus EQUALS NonCompliant and result Access-Reject.

xbill42 · ‎08-07-2020

Hi,

I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.

I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.

This is a strange "feature" but it is what it is.

Best regards

Rob Ingram · ‎08-07-2020

If TAC confirm there is no official method, you could configure the "Session-Timeout" and push that out in the AuthZ profile, this will define a short max session and disconnect once expires.

xbill42 · ‎08-12-2020

Hi,

The Session-Timeout is not taken into account by the ASA, I don't see the max session value changed after receiving the COA.

The DACL is received on the other hand.

I'll try to push a whole group-policy with a short max session timeout.

Best regards

Rob Ingram · ‎08-12-2020

Yes it is, I've tested it. It depends on what you configured. The problem with that command is the lowest value is 1 minute, so the user would be connected for 1 minute before being disconnected.