05-04-2022 03:35 PM
Hello! I had a question about a case in particular It's a bit far-fetched, but in short, does exist on ISE or in another appliance on Cisco a function that allow scanning for VPN connections and Endpoint Connections? For example: I have an ASA connected to a Radius server for 2nd factor and an Active Directory for user credentials, the ASA does a DHCP pool for Remote Access VPN connections, but I can't scan users such as what type of operating system, version or software they have installed in the device also applications that they are trying to connecto to, information about the host in general. And in another case, is it possible in ISE to make rules or policies to not allow a connection of a host if doesn´t have the latest patches or patches of a specific date/time installed in the device?
I was investigating in some forums but I couldn't find a solution that met what I was looking for to implement.
Hoping not to bother you with my doubt, I am very attentive to any advice or help you can give me.
Greetings,
Solved! Go to Solution.
05-05-2022 05:39 AM - edited 05-05-2022 05:40 AM
It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan). Hostscan/DAP support was added in FMC/FTD in version 7.0. Hostscan/DAP Support was added in 6.7 for FDM (API only).
05-04-2022 07:01 PM - edited 05-04-2022 07:01 PM
ISE posture (deployed as ISE posture module for endpoints) will do most of what you are looking for. Here's a prescriptive guide - https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273
05-05-2022 05:10 AM
Yup Cisco ISE Posture if your answer. Also Hostscan with ASA Dynamic Access Policies (DAP) if you don't want to use ISE.
05-05-2022 05:35 AM
Interesting, about Hostscan with DAP, i´m going to investigate about that also.
Another question, it is posible to implement something similar in Firepower like Hostscan in this case? I know that devices with a Static IP can be identify easily but its the DHCP clients that make a little bit difficult to know who is who.
05-05-2022 05:39 AM - edited 05-05-2022 05:40 AM
It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan). Hostscan/DAP support was added in FMC/FTD in version 7.0. Hostscan/DAP Support was added in 6.7 for FDM (API only).
05-05-2022 05:45 AM
Thank you very much! this info was really usefull.
Have a nice day.
05-05-2022 05:19 AM
Thanks, i´m going to read the documentation that you send me.
10-11-2023 10:23 AM
Cisco ISE is the best option
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: