ISE VPN Posture checks

Srinivasan Nagarajan · ‎11-25-2020

Hi Experts,

We've ISE version 2.6 running to authenticate and authorize Remote access VPN users. We've already service condition to ensure the service of the (AV) is installed and running.

Under the posture policy, we've set the Identity as 'Any' to meet the posture requirements and in the AuthZ policy if the user is part 'Group A' + session is compliant = User will be granted access. Similarly, other AuthZ policies are also set part of the AD groups and session status.

Now, we're planning to add another service condition in the running status (AV) but we don't have want to deploy it to everyone. Would like to get this deployed to the pilot/testing AD group.

So in the Posture policy, we're planning to add new policy only for the new AD group and (with no changes in the AuthZ policies) will it break the VPN connectivity ? As, the posture policy is just defined for the testing AD group and that AD group isn't called in the AuthZ policies.

Please assist.

Thanks,

Mike.Cifelli · ‎11-25-2020

So in the Posture policy, we're planning to add new policy only for the new AD group and (with no changes in the AuthZ policies) will it break the VPN connectivity ? As, the posture policy is just defined for the testing AD group and that AD group isn't called in the AuthZ policies.

-No this will not break VPN connectivity. Like you mentioned, as long as you reference the unique AD test group as 'Other Condition' to differentiate you will be good.

Srinivasan Nagarajan · ‎11-25-2020

Thanks Mike for the quick reply.

So the existing posture policy will have the identity set to 'any' and the new condition will set to 'testing AD group' with the new posture requirements. When it comes to AuthZ policies, though the testing AD group isn't called anywhere, it'd not break the connectivity.

Please correct me if i'm wrong.

Also, what if we set to 'any' (in posture policy) and enable the optional/Audit ticked. Can you please suggest the preferred one?

Thanks.