Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4469
Views
35
Helpful
10
Replies

Need help on NAC for VPN

Go to solution
User_80617
Level 1
Level 1

‎03-19-2021 05:58 AM

Hello Guys, Need you help. This will be a long post and i need help in deployment of NAC for vpn users.

 

Requirement is user shall connect to vpn post some checks that defined on Cisco ISE.

1. What config needed on Cisco ASA

2. What config needed on Cisco ISE

3. Any config related to hostscan, posturing needs to be on Cisco asa?

 

Need suggesting on parameters to test and things to ensure before rolling out in production.

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to User_80617

‎03-22-2021 03:53 AM

Hi @User_80617 

 at Operations > RADIUS > Live Logs, check the Authorization Policy of this particular Identity (user).

 Use this information and double check at Policy > Policy Set if it should be the correct Authorization Policy.

 

Hope this helps !!!

View solution in original post

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to User_80617

‎03-22-2021 05:31 AM

Compliance module says no policy server detected and user gets access even after required components missing on his endpoint.

-This is typically because your module is missing the respective posture profile xml files.  The URL redirect should point a new/unprovisioned client to your portal in which ISE will then push down your configured profiles/modules/etc.  Another option you could test is manually adding the profiles to your test client.  I suspect this may be a missing piece as well as how you have your client provisioning portal setup.  That guide shared definitely covers the necessary steps involved.  However, its screenshots/demos are from a very old version of ISE.  I would suggest taking a look at some lab tutorials from links already shared in this post as well as having a look here: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

View solution in original post

Go to solution
Marcelo Morais
VIP
VIP
In response to User_80617

‎04-30-2021 11:59 AM

Hi @User_80617 ,

 you are able to use the Conditions:

Cisco-VPN3000-CVPN3000/ASA/PIX7x-Tunnel-Group-Name equals <Tunnel Group>

or/and

DEVICE.Location equals All Locations#<Location>

Note: remember to add your ASA to the <Location> at Administration > Network Resources > Network Devices.

 

Hope this helps !!!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎03-19-2021 06:07 AM

@User_80617 

Here is the official Cisco ASA RAVPN and ISE Posture guide, this covers the ASA and ISE config.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

 

You don't need to use Hostscan if you are doing posture on ISE.

Go to solution
User_80617
Level 1
Level 1
In response to Rob Ingram

‎03-21-2021 10:19 PM

Hi.. Thanks for revert. But, this didn't work.

 

Compliance module says no policy server detected and user gets access even after required components missing on his endpoint.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to User_80617

‎03-22-2021 03:53 AM

Hi @User_80617 

 at Operations > RADIUS > Live Logs, check the Authorization Policy of this particular Identity (user).

 Use this information and double check at Policy > Policy Set if it should be the correct Authorization Policy.

 

Hope this helps !!!

Go to solution
User_80617
Level 1
Level 1
In response to Marcelo Morais

‎04-09-2021 05:35 AM

Hi,

 

below were the live logs output

 

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP - Network Access.NetworkDeviceName

24715 ISE has not confirmed locally previous successful machine authentication for user in Active Directory

15036 Evaluating Authorization Policy

24209 Looking up Endpoint in Internal Endpoints IDStore - xxxxx

24211 Found Endpoint in Internal Endpoints IDStore

15048 Queried PIP - Session.PostureStatus

15016 Selected Authorization Profile ASA-Posture

22081 Max sessions policy passed

22080 New accounting session created in Session cache

11002 Returned RADIUS Access-Accept


Authorization Policy Posture_Policy >> Posture_Unknown


Authorization Result ASA-redirect

 

ASA_redirect should direct user to ise but compliance is failing. Even posture unknow status shall get access rejected (Access Type = ACCESS_REJECT) but user can successfully connect to vpn.

 

What could be wrong. Followed the cisco config document as it is.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to User_80617

‎04-09-2021 12:48 PM - edited ‎04-09-2021 12:49 PM

Hi @User_80617 

 at Policy > Policy Elements > Results > Authorization > Authorization Profiles > select the Authorization Profile that you use in your "Unknown Policy Set" and at Common Task, double check your Web Redirection configuration.

 Double check if the name of the ACL (located on the Web Redirection configuration) must exist on your ASA.

 

Hope this helps !!!

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to User_80617

‎03-22-2021 05:31 AM

Compliance module says no policy server detected and user gets access even after required components missing on his endpoint.

-This is typically because your module is missing the respective posture profile xml files.  The URL redirect should point a new/unprovisioned client to your portal in which ISE will then push down your configured profiles/modules/etc.  Another option you could test is manually adding the profiles to your test client.  I suspect this may be a missing piece as well as how you have your client provisioning portal setup.  That guide shared definitely covers the necessary steps involved.  However, its screenshots/demos are from a very old version of ISE.  I would suggest taking a look at some lab tutorials from links already shared in this post as well as having a look here: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Go to solution
User_80617
Level 1
Level 1
In response to Mike.Cifelli

‎04-30-2021 02:24 AM

Hi,

 

The posturing now works ok. but i have 2 queries.

 

1. It works only when the ise -posture/compliance module is installed on the system. In case when connected from a system having only anyconnect client, vpn gets connected.

2. What should be settings on cisco ise, if i want to apply the posturing, client provisioning only for a certain vpn profile on a perticular asa (there might be many other profiles coming to ise for authentication)

 

Need some help on this. 

Go to solution
Marcelo Morais
VIP
VIP
In response to User_80617

‎04-30-2021 11:59 AM

Hi @User_80617 ,

 you are able to use the Conditions:

Cisco-VPN3000-CVPN3000/ASA/PIX7x-Tunnel-Group-Name equals <Tunnel Group>

or/and

DEVICE.Location equals All Locations#<Location>

Note: remember to add your ASA to the <Location> at Administration > Network Resources > Network Devices.

 

Hope this helps !!!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-19-2021 06:08 AM

This not just few steps, this required some kind of integration expert to imlement things in step by step approach - no from day 0.

you need put some time and understand how these each components works,

 

https://community.cisco.com/t5/security-documents/nac/ta-p/3114257

 

here is some resource to start with :

 

ISE Community Resources

http://cs.co/ise-resources   

YouTube Channel: http://cs.co/ise-videos  

Integration Guides: http://cs.co/ise-guides

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-19-2021 06:14 AM

Also, take a peek at https://labminutes.com/video/sec

Good free tutorials there.  HTH!

Customers Also Viewed These Support Documents