cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

618
Views
15
Helpful
6
Replies
vicente.mibarra1
Beginner

ISE doubts about capabilites for VPN and Endpoints connections

Hello! I had a question about a case in particular It's a bit far-fetched, but in short, does exist on ISE or in another appliance on Cisco a function that allow scanning for VPN connections and Endpoint Connections? For example: I have an ASA connected to a Radius server for 2nd factor and an Active Directory for user credentials, the ASA does a DHCP pool for Remote Access VPN connections, but I can't scan users such as what type of operating system, version or software they have installed in the device also applications that they are trying to connecto to, information about the host in general. And in another case, is it possible in ISE to make rules or policies to not allow a connection of a host if doesn´t have the latest patches or patches of a specific date/time installed in the device?

 

I was investigating in some forums but I couldn't find a solution that met what I was looking for to implement.

 

Hoping not to bother you with my doubt, I am very attentive to any advice or help you can give me.

 

Greetings,

1 ACCEPTED SOLUTION

Accepted Solutions

It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan).  Hostscan/DAP support was added in FMC/FTD in version 7.0.  Hostscan/DAP Support was added in 6.7 for FDM (API only).

View solution in original post

6 REPLIES 6
UdupiKrishna
Cisco Employee

ISE posture (deployed as ISE posture module for endpoints) will do most of what you are looking for. Here's a prescriptive guide - https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

 

Yup Cisco ISE Posture if your answer.  Also Hostscan with ASA Dynamic Access Policies (DAP) if you don't want to use ISE.

Interesting, about Hostscan with DAP, i´m going to investigate about that also.

 

Another question, it is posible to implement something similar in Firepower like Hostscan in this case? I know that devices with a Static IP can be identify easily but its the DHCP clients that make a little bit difficult to know who is who.

It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan).  Hostscan/DAP support was added in FMC/FTD in version 7.0.  Hostscan/DAP Support was added in 6.7 for FDM (API only).

Thank you very much! this info was really usefull.

 

Have a nice day.

Thanks, i´m going to read the documentation that you send me.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube