05-18-2021 06:01 AM
Good afternoon. I'm working to understand more about DACLs using Cisco ISE to perform posture checks against our AnyConnect vpn clients. I understand I need to create a few different DACLs to allow/deny traffic based on the posture checks we create. In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL? More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?
Thx in advance for any assistance given.
Solved! Go to Solution.
05-19-2021 05:10 AM
In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL?
-For client provisioning web redirection, yes. You would configure the ACL on the FW, and then inside the authz profile select Web Redirection for posturing and paste in the ACL name so that the ASA knows what ACL to apply.
More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?
-ISE will send the remaining DACLs for compliant or noncompliant states to the ASA. These DACLs are created in ISE and do not need to be on the ASA. Just create them in ISE, and assign to compliant/noncompliant authz profiles.
A few oldies, but goodies:
ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco
How To: ISE and ASA Integration using CoA for Posture - Cisco Community
HTH!
05-19-2021 05:10 AM
In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL?
-For client provisioning web redirection, yes. You would configure the ACL on the FW, and then inside the authz profile select Web Redirection for posturing and paste in the ACL name so that the ASA knows what ACL to apply.
More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?
-ISE will send the remaining DACLs for compliant or noncompliant states to the ASA. These DACLs are created in ISE and do not need to be on the ASA. Just create them in ISE, and assign to compliant/noncompliant authz profiles.
A few oldies, but goodies:
ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco
How To: ISE and ASA Integration using CoA for Posture - Cisco Community
HTH!
05-19-2021 05:49 AM
Thx for the feedback!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide