Solved: ISE HAVE to use AnyConnect - just a confirmation

steven#13 · ‎02-10-2020

I know this is relatively a "dumb" question, but just wanted to be sure because someone put doubt in my head. Actually, two questions to ensure absolute clarity.

1. Will Cisco ISE ONLY work with AnyConnect, specifically for the posture and other modules to deliver the rules and profiles "to and from" ISE? Meaning no other "third-party" resource delivery agent would work.

2. Assuming the answer to number 1 is "Yes," then the question is: while you need AnyConnect "as a tool of ISE," are you required to only use AnyConnect specifically for the VPN service/connection? Meaning, you can have a different VPN solution (say, OpenVPN) for the actual "tunnel"/protection of the connection, but you still have to have AnyConnect installed and configured to work with ISE for the profile access rules, correct?

Francesco Molino · ‎02-10-2020

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Mike.Cifelli · ‎02-13-2020

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

View solution in original post

Francesco Molino · ‎02-13-2020

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-10-2020

Hi

For Posture, yes you will need Anyconnect, no 3rd party software will work.
Sure you can have Anyconnect just for posture and use your current VPN vendor or any other tools. VPN and Posture are 2 different things.
However, if you want to force VPN users to do posture, then it will be complex because you need to force a user to get redirected. Never tried for VPN (not so often I use ISE posture for VPN because prefer integration with TCNAC solutions) , if you authenticate your users through ISE and push a policy to redirect them on your CPP portal + setup your VPN to force ISE to act as DHCP/DNS for these users, it may works. Not tested but it worth a test.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

steven#13 · ‎02-13-2020

Thank you, that is helpful information. I guess what I'm focussing on is pushing out network access based on specific profiles within ISE which will determine what that person can access or if accessing from a non-domain joined computer it would read that and then could limit access. I guess determination of the type of device from which the user is connecting could only be determined from the Posture through AnyConnect. However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?

Mike.Cifelli · ‎02-13-2020

However, if just interested in network access rights/permissions controlled by ISE (profiles), could that be done without the Posture process you mentioned - meaning, would there be an easy/simple way to trigger DACL based on user authentication in order to control what the person could access over VPN?
-You can accomplish this without the use of the ISE posture module. If you wish to push authz policy based on tunnel-group-name you can reference this condition: Cisco-VPN3000: CVPN3000/ASA/Pix7x-Tunnel-Group-Name EQUALS <group>
Create your dacl, assign it to authz profile, and assign to authz policy as you desire.

Francesco Molino · ‎02-13-2020

Yes you can push acl based on user id during the authentication.
However, you won't be able to determine if this user uses a corporate laptop or not without the posture feature.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question