VPN device profiling issue ISE In Line with ASA

marioderosa2008 · ‎07-26-2012

Hi all,

We have an inline posture ISE which is acting as a radius server for authenticating VPN client through our ASA.

However because VPN client do not send thier MAC like they do when wireless and wired clients, the ISE cannot profile based on MAC as it dOes by default.

Has anyone come accross this issue and have another way of profiling VPN devices?

Thanks

Mario

Tarik Admani · ‎07-26-2012

One way to do accomplish this is to setup a span port for the clients vlan that they are coming in from, from that point ISE will be able to profile devices based on their user agent strings.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

vikasyad · ‎06-03-2013

Please review the below links which might be helpful :

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

Octavian Szolga · ‎06-10-2013

If you're using inline posture, it means that you also use NAC Agent and a posture redirect.

You don't have to setup a span port for user agent string because by the means of the redirect ACL ISE will find it anyway.

Moreover, you can use NAC Agent to verify certain OS parameters to figure out what kind of device is used when doing RA VPN.