Solved: ISE Anyconnect Posturing

RaymondBrown1165 · ‎07-10-2019

My scenario is for remote users. I would like to use the Always on feature in the anyconnect client to ensure that the VPN is always connected. The issue is I want to make sure the system is compliant before giving it access to network resources.

Can someone tell me if this scenario is possible?

Phase 1 - Authenticate to the VPN using a machine Cert. If no machine cert is installed on the machine, access is denied.

Phase 2 - If valid machine cert authenticated, I want to redirect to ISE for posturing.

Phase 3 - Compliance reported. If non-compliant, allow access to internal vlan with wsus for updates.

Phase 4 - If compliant, prompt user for RSA/user authentication.

My goal is to allow the machine to authenticate and get access to a quarantine/update vlan to get updates without the user logging in, then once all updates are installed and the machine is compliant, the user is prompted to login. Currently the vpn is authenticating through the ASA via 2FA machine cert and RSA but the issue is it requires the user to login in order for them to connect and access the network to get the updates.

Any suggestions?

paul · ‎07-10-2019

I don't believe there will be a way to do this in the logged off state as the posture module is a user space process. The AnyConnect VPN side can start before login but not the posture module.

View solution in original post

paul · ‎07-10-2019

I don't believe there will be a way to do this in the logged off state as the posture module is a user space process. The AnyConnect VPN side can start before login but not the posture module.