cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

555
Views
15
Helpful
3
Replies
marioderosa2008
Beginner

VPN device profiling issue ISE In Line with ASA

Hi all,

We have an inline posture ISE which is acting as a radius server for authenticating VPN client through our ASA.

However because VPN client do not send thier MAC like they do when wireless and wired clients, the ISE cannot profile based on MAC as it dOes by default.

Has anyone come accross this issue and have another way of profiling VPN devices?

Thanks

Mario

3 REPLIES 3
Tarik Admani
Advocate

One way to do accomplish this is to setup a span port for the clients vlan that they are coming in from, from that point ISE will be able to profile devices based on their user agent strings.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

Octavian Szolga
Participant

If you're using inline posture, it means that you also use NAC Agent and a posture redirect.

You don't have to setup a span port for user agent string because by the means of the redirect ACL ISE will find it anyway.

Moreover, you can use NAC Agent to verify certain OS parameters to figure out what kind of device is used when doing RA VPN.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel