Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5722
Views
5
Helpful
7
Replies

Disconnect anyconnect vpn if ISE posture not compliant

Go to solution
xbill42
Level 1
Level 1

‎07-22-2020 07:53 AM

Hi,

 

I have a Firepower in ASA mode (9.14) for anyconnect VPN and cisco ISE for posture (Apex license).

 

I am trying to find if there is an option to force the VPN session to disconnect if the posture is not compliant.

 

For the moment when the PC is not compliant there is just the DACL pushed by the ISE to the firewall that prevents access to the network, but now I need to just disconnect the VPN if it's not compliant.

 

Does this feature exist, and how do I configure it ?

 

Best regards

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xbill42
Level 1
Level 1
In response to Rob Ingram

‎08-07-2020 06:48 AM - edited ‎08-07-2020 06:48 AM

Hi,

 

I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.

I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.

This is a strange "feature" but it is what it is.

 

Best regards

View solution in original post

7 Replies 7

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-22-2020 01:06 PM

Does this feature exist, and how do I configure it ?
-AFAIK this is not possible. You could take a peek to see if you can identify some sort of advanced attribute to reference in your non-compliant authz profile. My question is why does this matter if you have a working solution to restrict access for non-compliant hosts? The only thing I can quickly think of is a licensing concern? IMO you would think (if possible depending on your posture checks) you would want to allow some sort of remediation for these hosts that then allows them to re-scan to get full network access. Lastly, I would think that a generic user would continue to attempt to get on the VPN pending disconnect.
0 Helpful

Go to solution
xbill42
Level 1
Level 1
In response to Mike.Cifelli

‎07-23-2020 01:49 AM

Hi,

 

We check for specific running process on corporate computers. If the process is not running it means that the client corporate computer is not configured properly or have a big problem (they would have to call the IT support and maybe bring their PC for checking etc...)

Why does it matter : there is no point that they stays connected to the tunnel with a deny ACL that allows access to nothing.

 

Best regards

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to xbill42

‎07-23-2020 04:42 AM

Hi,
I've not tried this but, create and AuthZ rule and match on Session-PostureStatus EQUALS NonCompliant and result Access-Reject.
0 Helpful

Go to solution
xbill42
Level 1
Level 1
In response to Rob Ingram

‎08-07-2020 06:48 AM - edited ‎08-07-2020 06:48 AM

Hi,

 

I tried the access-reject option, but this triggers an error on the anyconnect side, something like unknown interruption error : general error.

I've also contacted TAC for this and they responded that it is impossible to disconnect the tunnel if the posture is not compliant.

This is a strange "feature" but it is what it is.

 

Best regards

Go to solution
Rob Ingram
VIP
VIP
In response to xbill42

‎08-07-2020 10:05 AM

If TAC confirm there is no official method, you could configure the "Session-Timeout" and push that out in the AuthZ profile, this will define a short max session and disconnect once expires.
0 Helpful

Go to solution
xbill42
Level 1
Level 1
In response to Rob Ingram

‎08-12-2020 01:48 AM

Hi,

 

The Session-Timeout is not taken into account by the ASA, I don't see the max session value changed after receiving the COA.

The DACL is received on the other hand.

I'll try to push a whole group-policy with a short max session timeout.

 

Best regards

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to xbill42

‎08-12-2020 08:08 AM

Yes it is, I've tested it. It depends on what you configured. The problem with that command is the lowest value is 1 minute, so the user would be connected for 1 minute before being disconnected.
0 Helpful
Top