Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
15
Helpful
7
Replies

ISE doubts about capabilites for VPN and Endpoints connections

Go to solution
Vicente Miño
Level 1
Level 1

‎05-04-2022 03:35 PM

Hello! I had a question about a case in particular It's a bit far-fetched, but in short, does exist on ISE or in another appliance on Cisco a function that allow scanning for VPN connections and Endpoint Connections? For example: I have an ASA connected to a Radius server for 2nd factor and an Active Directory for user credentials, the ASA does a DHCP pool for Remote Access VPN connections, but I can't scan users such as what type of operating system, version or software they have installed in the device also applications that they are trying to connecto to, information about the host in general. And in another case, is it possible in ISE to make rules or policies to not allow a connection of a host if doesn´t have the latest patches or patches of a specific date/time installed in the device?

 

I was investigating in some forums but I couldn't find a solution that met what I was looking for to implement.

 

Hoping not to bother you with my doubt, I am very attentive to any advice or help you can give me.

 

Greetings,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Vicente Miño

‎05-05-2022 05:39 AM - edited ‎05-05-2022 05:40 AM

It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan).  Hostscan/DAP support was added in FMC/FTD in version 7.0.  Hostscan/DAP Support was added in 6.7 for FDM (API only).

View solution in original post

7 Replies 7

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎05-04-2022 07:01 PM - edited ‎05-04-2022 07:01 PM

ISE posture (deployed as ISE posture module for endpoints) will do most of what you are looking for. Here's a prescriptive guide - https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

 

Go to solution
ahollifield
VIP
VIP
In response to UdupiKrishna

‎05-05-2022 05:10 AM

Yup Cisco ISE Posture if your answer.  Also Hostscan with ASA Dynamic Access Policies (DAP) if you don't want to use ISE.

Go to solution
Vicente Miño
Level 1
Level 1
In response to ahollifield

‎05-05-2022 05:35 AM

Interesting, about Hostscan with DAP, i´m going to investigate about that also.

 

Another question, it is posible to implement something similar in Firepower like Hostscan in this case? I know that devices with a Static IP can be identify easily but its the DHCP clients that make a little bit difficult to know who is who.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Vicente Miño

‎05-05-2022 05:39 AM - edited ‎05-05-2022 05:40 AM

It's actually AnyConnect that supplies the system info (not DHCP relay) to either ISE (ISE Posture Agent) or the ASA/FTD (hostscan).  Hostscan/DAP support was added in FMC/FTD in version 7.0.  Hostscan/DAP Support was added in 6.7 for FDM (API only).

Go to solution
Vicente Miño
Level 1
Level 1
In response to ahollifield

‎05-05-2022 05:45 AM

Thank you very much! this info was really usefull.

 

Have a nice day.

0 Helpful

Go to solution
Vicente Miño
Level 1
Level 1
In response to UdupiKrishna

‎05-05-2022 05:19 AM

Thanks, i´m going to read the documentation that you send me.

0 Helpful

Go to solution
Cristian Parraguez
Level 1
Level 1

‎10-11-2023 10:23 AM

Cisco ISE is the best option

0 Helpful
Customers Also Viewed These Support Documents