cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

141
Views
25
Helpful
4
Replies
Beginner

ISE HAVE to use AnyConnect - just a confirmation

I know this is relatively a "dumb" question, but just wanted to be sure because someone put doubt in my head. Actually, two questions to ensure absolute clarity.

1. Will Cisco ISE ONLY work with AnyConnect, specifically for the posture and other modules to deliver the rules and profiles "to and from" ISE? Meaning no other "third-party" resource delivery agent would work.

 

2. Assuming the answer to number 1 is "Yes," then the question is: while you need AnyConnect "as a tool of ISE," are you required to only use AnyConnect specifically for the VPN service/connection? Meaning, you can have a different VPN solution (say, OpenVPN) for the actual "tunnel"/protection of the connection, but you still have to have AnyConnect installed and configured to work with ISE for the profile access rules, correct?

Everyone's tags (3)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Re: ISE HAVE to use AnyConnect - just a confirmation

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted
VIP Rising star

Re: ISE HAVE to use AnyConnect - just a confirmation

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

View solution in original post

Highlighted
VIP Advisor

Re: ISE HAVE to use AnyConnect - just a confirmation

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Re: ISE HAVE to use AnyConnect - just a confirmation

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted
Beginner

Re: ISE HAVE to use AnyConnect - just a confirmation

Thank you, that is helpful information. I guess what I'm focussing on is pushing out network access based on specific profiles within ISE which will determine what that person can access or if accessing from a non-domain joined computer it would read that and then could limit access. I guess determination of the type of device from which the user is connecting could only be determined from the Posture through AnyConnect. However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN? 

Highlighted
VIP Rising star

Re: ISE HAVE to use AnyConnect - just a confirmation

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

View solution in original post

Highlighted
VIP Advisor

Re: ISE HAVE to use AnyConnect - just a confirmation

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post