07-26-2012 06:53 AM - edited 03-10-2019 07:20 PM
Hi all,
We have an inline posture ISE which is acting as a radius server for authenticating VPN client through our ASA.
However because VPN client do not send thier MAC like they do when wireless and wired clients, the ISE cannot profile based on MAC as it dOes by default.
Has anyone come accross this issue and have another way of profiling VPN devices?
Thanks
Mario
07-26-2012 07:17 AM
One way to do accomplish this is to setup a span port for the clients vlan that they are coming in from, from that point ISE will be able to profile devices based on their user agent strings.
Hope that helps.
Tarik Admani
*Please rate helpful posts*
06-03-2013 05:47 PM
Please review the below links which might be helpful :
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html
06-10-2013 12:52 AM
If you're using inline posture, it means that you also use NAC Agent and a posture redirect.
You don't have to setup a span port for user agent string because by the means of the redirect ACL ISE will find it anyway.
Moreover, you can use NAC Agent to verify certain OS parameters to figure out what kind of device is used when doing RA VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide