ISE inline VPN Posture

Ahmad Murad · ‎02-03-2014

Hi,

I have the following setup for the VPN inline posturing:

VPN Users ----- ASA ----- ISE (ipep) ------ Core SW

On the ASA, I have 2 tunnel-groups, the 1st one uses the ISE as radius server, and the 2nd one is using local authentication, and they are sharing the same IP pool (ASA inside interface subnet).

When the users connect to tunnel-group with ISE, all is working fine, the NAC agent installed and users can access internal resources.

When any user connects to tunnel-group without ISE, he cannot access any internal resources, even that the routing and everything is configured.

The filter configuration here is only applied to ASA inside interface, when I add all the subnet to the filter configuration, we can access the inside VLANs but without we cannot.

Is this means that I do bypass posture assessment for all the traffic from this pool (with and without ISE)? or I need to have 2 seperate pools for that? The filter configuration is not that clear in this setup.

Thanks.

Ahmad.

Saurav Lodh · ‎02-05-2014

Please refer the ISE inline posture config. from

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html

Naveen Kumar · ‎02-06-2014

For certain devices, you may want to bypass authentication, posture assessment, role assignment, or any combination thereof. Common examples of bypassed device types include printers, IP phones, servers, nonclient machines, and network devices.

Inline Posture matches the MAC, MAC and IP, or subnet address to determine whether the bypass function is enabled for a device. You can choose to bypass policy enforcement or to forcibly block access.

Caution

Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP address, VPN clients are allowed to bypass policy enforcement. This bypass happens because the VPN is a Layer 3 hop for clients, and the device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node.

descalante2007 · ‎04-07-2014

I have a similar scenario:

VPN users ----- ASA ----- ISE-ipep (HA) ----- Core SW

I have two pools for users. One pool (192.168.0.0/22) is intended for laptops with anyconnect authenticated by ISE (Internal – further would be AD). The second pool (192.168.4.0/22) is intended for mobile devices (smartphones and iDevices); authenticated by ASA certificates and bypassed in the IPN.

On the first tests, the laptops can be authenticated by ISE Internal DB, but users can’t access internal resources.

I think the problem may be originating in something extraneous I saw in the IPN routing table. On the GUI the route for 192.168.0.0/22 has the ASA interface as default gateway, but on the CLI the same route appears to not have default gateway.

I will appreciate any assistance.

Regards.

Daniel Escalante

Ahmad Murad · ‎04-15-2014

Hi,

I solved this issue by splitting the ip pool (/24) to 2 * (/25) subnets, and assign each pool to a different tunnel-group.

On the ISE IPEP node, I did filter for the non-secure pool (non-secure tunnel-group) so the ISE will only pass this traffic without applying any policy on it.

I did that using the filters, and ensure that the routing us correct on the Core SW.

The filter configuration is for the IP addresses, not MAC address.

I cannot remember the command on the pep CLI itself, that you can show the filters.

The idea that you need the traffic to pass through the IPEP without posturing, so you need to have split traffic, and apply filters.

In case you need more help, you're welcome to ask.

Thanks.

Ahmad.

kaaftab · ‎04-25-2014

kindly check the link for step by step config for Inline.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115724-vpn-inpost-asa-00.html