cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
4
Helpful
4
Replies

posture validation of RemoteAccess VPN users

Waseem Memon
Level 1
Level 1

Hello Experts,

We want to implement NAC/ISE for remote access users (terminating on Cisco ASA or IOS Routers), through NAC/ISE we want to know whether the users coming through the VPN ...

- using company given laptops

- have required softwares (anti-virus etc) installed and upto date

Thanks

4 Replies 4

Charlie Moreton
Cisco Employee
Cisco Employee

By using an ISE Inline Posture Node (IPN), you can posture the clients connecting through VPN to your network.  You can set up Posture rules and Remediation sites for the software requirements. 

Using the Profiling service, you can also determine the device from which they are connecting.  You could go so far as to create rulesets based upon MAC addresses so that when a company-owned device is connected specific access can be granted.

Note that the IPN for the ISE must be a physical appliance (not a Virtual Node) and that you will need an Advanced Services License to enable posturing and profiling.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Thanks Charles for the reply...

Does NAC has the same provisioning.

And how would we configure the ASA/IOS devices to send the traffic to the NAC appliance to validate the posture before accssing any other device in the network?

Thanks...

The NAC Appliance does have some of the same posture validation elements to it.  Using the NAC Server with the NAC Agent will give you the results you are looking for, I believe.

The NAC Guest Server will make this process more streamlined for your users, if you decide to go the NAC route.  You can read more about it here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

aqjaved
Level 3
Level 3

Well answered by Charles.

You can check the below link for step by step configuration of IPN:

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html