- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2020 07:53 AM
Hi,
I have a Firepower in ASA mode (9.14) for anyconnect VPN and cisco ISE for posture (Apex license).
I am trying to find if there is an option to force the VPN session to disconnect if the posture is not compliant.
For the moment when the PC is not compliant there is just the DACL pushed by the ISE to the firewall that prevents access to the network, but now I need to just disconnect the VPN if it's not compliant.
Does this feature exist, and how do I configure it ?
Best regards
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2020 06:48 AM - edited 08-07-2020 06:48 AM
Hi,
I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.
I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.
This is a strange "feature" but it is what it is.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2020 01:06 PM
-AFAIK this is not possible. You could take a peek to see if you can identify some sort of advanced attribute to reference in your non-compliant authz profile. My question is why does this matter if you have a working solution to restrict access for non-compliant hosts? The only thing I can quickly think of is a licensing concern? IMO you would think (if possible depending on your posture checks) you would want to allow some sort of remediation for these hosts that then allows them to re-scan to get full network access. Lastly, I would think that a generic user would continue to attempt to get on the VPN pending disconnect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 01:49 AM
Hi,
We check for specific running process on corporate computers. If the process is not running it means that the client corporate computer is not configured properly or have a big problem (they would have to call the IT support and maybe bring their PC for checking etc...)
Why does it matter : there is no point that they stays connected to the tunnel with a deny ACL that allows access to nothing.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2020 04:42 AM
I've not tried this but, create and AuthZ rule and match on Session-PostureStatus EQUALS NonCompliant and result Access-Reject.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2020 06:48 AM - edited 08-07-2020 06:48 AM
Hi,
I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.
I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.
This is a strange "feature" but it is what it is.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2020 10:05 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2020 01:48 AM
Hi,
The Session-Timeout is not taken into account by the ASA, I don't see the max session value changed after receiving the COA.
The DACL is received on the other hand.
I'll try to push a whole group-policy with a short max session timeout.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-12-2020 08:08 AM
