Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1858
Views
25
Helpful
4
Replies

ISE HAVE to use AnyConnect - just a confirmation

Go to solution
steven#13
Level 1
Level 1

‎02-10-2020 09:25 AM

I know this is relatively a "dumb" question, but just wanted to be sure because someone put doubt in my head. Actually, two questions to ensure absolute clarity.

1. Will Cisco ISE ONLY work with AnyConnect, specifically for the posture and other modules to deliver the rules and profiles "to and from" ISE? Meaning no other "third-party" resource delivery agent would work.

 

2. Assuming the answer to number 1 is "Yes," then the question is: while you need AnyConnect "as a tool of ISE," are you required to only use AnyConnect specifically for the VPN service/connection? Meaning, you can have a different VPN solution (say, OpenVPN) for the actual "tunnel"/protection of the connection, but you still have to have AnyConnect installed and configured to work with ISE for the profile access rules, correct?

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-10-2020 10:58 AM

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to steven#13

‎02-13-2020 11:55 AM

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to steven#13

‎02-13-2020 07:06 PM

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-10-2020 10:58 AM

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
steven#13
Level 1
Level 1
In response to Francesco Molino

‎02-13-2020 11:38 AM

Thank you, that is helpful information. I guess what I'm focussing on is pushing out network access based on specific profiles within ISE which will determine what that person can access or if accessing from a non-domain joined computer it would read that and then could limit access. I guess determination of the type of device from which the user is connecting could only be determined from the Posture through AnyConnect. However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN? 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to steven#13

‎02-13-2020 11:55 AM

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to steven#13

‎02-13-2020 07:06 PM

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Top