Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2830
Views
5
Helpful
6
Replies

VPN inline posture using iPEP ISE and cisco ASA

yong khang NG
Level 5
Level 5

ā€Ž09-26-2012 05:02 AM - edited ā€Ž03-10-2019 07:35 PM

Hi All,

would like to check out these 2 question from you all:

Question 1:

For VPN inline posture using iPEP ISE and cisco ASA. Is it mandatory for  endpoint VPN client must go through client provisioning and posture  after authentication?

Can i just simplify the process as: authentication success, CoA comply to setting AuthZ profile, Full access.

Question 2:

For design perspective (VPN inline posture using iPEP ISE and cisco ASA platform):

For the Remote Access VPN (VPN client using AnyConnect secure mobility  client), we will configuring the AnyConnect client profile for VPN  client on PRE-login phase.

What's the practice for Post-Login phase authorization policy provision?  Is it the only option after the CoA happen VPN user are provision with  the authorization profile and dACL from ISE policy service node?

Can we still inherit or use the setting on AnyConnect Client profile's group policy? 

Is there any document discussing about this topic: authorization policy  for post-login in the environment of VPN inline posture using iPEP, ISE  policy service node serve as central policy?

It's lovely if you share the relevant reference URL regarding this topic.

My platform using these device and version

a. ISE 3355, ISE version 1.1

b. ASA 5520, ASA version 8.4.2

Thanks

Noel

Labels:
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

ā€Ž09-26-2012 05:56 AM

Noel,

It is not mandatory to deploy an inline node if you are only performing authentication.

If you want to download acls to the client to restrict access you can do that from the central psn.

The entire purpose of ipep is to dynamically change the user access through change of authorization at the inline.

Also the client must have a vpn session established before the ipep builds a session and determines it access policy.

Let me know if this helps

Sent from Cisco Technical Support Android App

0 Helpful

yong khang NG
Level 5
Level 5
In response to Tarik Admani

ā€Ž09-26-2012 07:07 PM

Hi Tarik,

Thanks for your reply. But my concern is on the POST-LOGIN phase authorization part.

Can ISE policy service node able to perform the feature of what ASDM remote access VPN anyconnect's group policy can do? example split tunnel.

Thanks

Noel

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

ā€Ž09-26-2012 07:19 PM

Are you trying to assign accesslist to users?

If so you can do this through radius and do not need ipep.

Ipep us only for coa. Here is an example of what I use ipep for.

I establish a vpn connection. I hit a remediation policy, the asa routes all my traffic to the ipep (at this point the asa is done authenticating) now the ipep is enforcing the remediation policy by redirecting all my traffic to the policy service node (via a downloadable acls defined on ise remediation policy), and allowing me access to mcafee server and windows update server in case I am out of compliance.

After I meet the requirements the agrnt report let's ise know I am compliant and coa is sent to ipep where my access is elevated to a compliant policy. Ipep applies a new accesslist to my session and removes the redirection policy.

Thanks

Sent from Cisco Technical Support Android App

0 Helpful

yong khang NG
Level 5
Level 5
In response to Tarik Admani

ā€Ž10-17-2012 05:04 AM

Hi Tarik,

First of all thanks for the reply. Here's some follow up question on my question.

Would like to make some amendment on my business requirement.

01.  It is a 2 factor authentication, where user credential validate on  external ID store (AD) and RSA token. Agent is using AnyConnect client  VPN.

This part i a bit confuse. How's the  authentication sequence look like? Because i am thinking when IPEP and  PSN done on the RADIUS Access request and Access, then only do the RSA  SDI challenge?

After this part done, there's posture  validation checking either user install NAC agent. If Yes then only  grant access to the network.

02. Since this  involve RADIUS authentication, so where i can create the authorization  profile for the user? Can ISE PSN authorization doing split tunnel this  kind of feature? (is it need to configure customize AV-Pair attribute  etc for this?)

03. Please suggest and comment, with the business requirement of

a. 2 factor authentication (RSA, Exrternal ID store)

b. Using ISE PSN for authorization profile (Instead of ASA)

c. posture checking on NAC agent installed.

Client OS were all WINDOW 7 64 bit.

Attached topology1.png diagram for reference

Thanks

Preview file
34 KB
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to yong khang NG

ā€Ž10-17-2012 09:26 AM

Hi,

These are questions that I am not able to answer at the moment since I havent had a chance to lab these up. However if you are an ATP partner and are looking for help, you can wait for someone who can chime in on the forums or use the Partner help desk:

http://www.cisco.com/web/partners/tools/pdihd_faqs.html

Or you can open a TAC case to get this issues resolved much faster.

Thanks,

Tarik Admani
*Please rate helpful posts*

vikasyad
Level 1
Level 1

ā€Ž05-23-2013 08:20 PM

Please review the below link which might be helpful  as this is already on support forum:

https://supportforums.cisco.com/docs/DOC-24412

http://www.cisco.com/image/gif/paws/115724/vpn-inpost-asa-00.pdf

0 Helpful
Customers Also Viewed These Support Documents