Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1767
Views
5
Helpful
2
Replies

Question about DACLS on ISE with AnyConnect Posture Checks

Go to solution
hurricane05
Level 1
Level 1

‎05-18-2021 06:01 AM

Good afternoon. I'm working to understand more about DACLs using Cisco ISE to perform posture checks against our AnyConnect vpn clients. I understand I need to create a few different DACLs to allow/deny traffic based on the posture checks we create. In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL? More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?

 

Thx in advance for any assistance given.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-19-2021 05:10 AM

In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL?

-For client provisioning web redirection, yes.  You would configure the ACL on the FW, and then inside the authz profile select Web Redirection for posturing and paste in the ACL name so that the ASA knows what ACL to apply.  

More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?

-ISE will send the remaining DACLs for compliant or noncompliant states to the ASA.  These DACLs are created in ISE and do not need to be on the ASA.  Just create them in ISE, and assign to compliant/noncompliant authz profiles.

A few oldies, but goodies:

ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco

How To: ISE and ASA Integration using CoA for Posture - Cisco Community

HTH!

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-19-2021 05:10 AM

In reference to the DACLs, do they actually get configured on the Cisco ASA firewall as an ACL?

-For client provisioning web redirection, yes.  You would configure the ACL on the FW, and then inside the authz profile select Web Redirection for posturing and paste in the ACL name so that the ASA knows what ACL to apply.  

More so does any configuration get add/removed/updated on the Cisco ASA by ISE? For the DACLS that I create, do I need to create the same ACLs on the ASA?

-ISE will send the remaining DACLs for compliant or noncompliant states to the ASA.  These DACLs are created in ISE and do not need to be on the ASA.  Just create them in ISE, and assign to compliant/noncompliant authz profiles.

A few oldies, but goodies:

ASA Version 9.2.1 VPN Posture with ISE Configuration Example - Cisco

How To: ISE and ASA Integration using CoA for Posture - Cisco Community

HTH!

Go to solution
hurricane05
Level 1
Level 1
In response to Mike.Cifelli

‎05-19-2021 05:49 AM

Thx for the feedback!!!

0 Helpful
Customers Also Viewed These Support Documents