06-24-2020 06:45 AM - edited 06-24-2020 06:45 AM
Complicated (to me) question - due possibly to me not knowing the solution well enough:
we have a customer with a sizable Citrix infrastructure. They are allowing clients' connection to the XenDesktop infrastructure via public interface through a Netscaler. AAA is done directly on AD (no NAC, plain NPS).
Question: is there a way via ISE to run posturing on remote clients and forbid them from authenticating in case they're found to be in a non-compliant state? It's obvious that XenServer will need to AAA to ISE, and ISE can posture clients that are inside the network, and outside via AnyConnect module, but does AnyConnect ABSOLUTELY REQUIRE to be connected via VPN to run the posturing, or can it run it and communicate posturing results to the FMC nonetheless even if not connected?
Easy part is the fact that customer would like to have DUO integrated with Citrix - but that is easy, I know already that it can be done.
Or could ISE service be published through a public IP resolvable via FQDN and the posturing be done continuously as if the client was on premise?
Please let me know if any of this makes sense, or if there is a much simpler solution which I ignore.
Thank you very much!
06-25-2020 11:43 AM - edited 06-25-2020 11:49 AM
I did not understand how fmc came into the picture here.DO you want to send user identity to fmc ?
Coming back to the original question,I dont think you can have nps auth the user and then ise do the posture.
You need to do both on ise and vpn is not required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide