04-05-2019 09:51 PM
Just wondering if there is detailed guide/document for deploying VPN access (AnyConnect) with ISE, similar to the prescriptive deployment guides for wired/wireless/byod etc?
This is the only document I could find so far - https://community.cisco.com/t5/security-documents/how-to-configure-posture-with-anyconnect-compliance-module-and/ta-p/3647768#toc-hId-837352845
but doesn't show the group-policy config on ISE or how to match tunnel-group conditions. I'm looking for something more thorough.
Solved! Go to Solution.
04-05-2019 11:00 PM
04-05-2019 11:00 PM
04-06-2019 04:04 AM - edited 04-08-2019 08:48 AM
Very well put. I have asked our experts to step in as well and see if they have other resources
04-09-2019 06:40 PM
Hi Francesco, thanks for the doc.
04-09-2019 07:16 PM
04-08-2019 12:33 PM
Just curious are you trying to create a posture policy based on the connection profile/Tunnel-group and Group-Policy on the ASA similar to the way we do it today with host scan and Dynamic-Access-Policies (DAP)? Unless something has changed on ISE this is not possible as we don't pass this along as part of the ACIDEX exchange. You could however use Radius IETF 25 and put the users in the ASA group-policy you wish during authentication/authorization to ISE from the ASA.
Best regards
Paul
AnyConnect TME
04-09-2019 06:46 PM
No, was just looking for a deployment guide that's recent and updated with Anyconnect VPN and ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide