Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1186
Views
0
Helpful
3
Replies

VPN Posture Flexibility Question

GQ
Cisco Employee
Cisco Employee

‎12-16-2016 08:28 PM

We're finding it difficult to put a specific use case into practice with the Posture options.

Employees + Corporate Assets = Posture checking and Remediation

Employees + BYOD devices = Posture checking with no Remediation (AV presence)

Contractors + Corporate Assets = Posture checking but no remediation (authZ denied)

Contractors + BYOD devices = Posture checking with no Remediation (AV presence)  Same as Employees

The problem is by the time the posture policy is invoked for all of these use cases, there is no way to differentiate the user’s role from the endpoint they have.  It wouldn’t be a problem except the remediations are different.

My solution so far has been that the contractors need their own ASA.  The posture policy in ISE can use the ASA IP (or type/location) as a constraint to match the rule.  Hopefully someone here has a more elegant solution.  It seems like it should be doable but it isn’t looking obvious.

I was thinking it would be great if we had policy sets for the Posture policy.  Maybe the authZ policy could cite Posture policyX for example.

0 Helpful
3 Replies 3

Charlie Moreton
Cisco Employee
Cisco Employee

‎12-19-2016 06:38 AM

You don't need an additional ASA for this.  You can use a different Tunnel Group.  You can then use that tunnel group to determine which Policy Set is used in ISE:

VPN_Group.PNG

Taking it a step further, you can use the AD Group membership in the Authorization Policy to state that if a contractor connects to the Employee VPN tunnel, then they are either denied access or are redirected to a "Hotspot as a Message Portal" giving specific instruction on which VPN Group is to be connected.

You could also do the reverse with Employees connecting to the Contractor's VPN Tunnel.

Start here for the basic set up for the Hotspot as a Message configuration:

How To: ISE Web Portal Customization Options

Follow Exercise 1.  When you get to Step 7, here is the script:

HotspotAsMessage.PNG

Also be sure to use any AD Group Memberships in the Posture Policy "Other Conditions" field to assign Posture Policies.

Then you can use Endpoint Identity Groups in the Authorization Policy to determine Corp Owned Devices.

I hope this makes sense.

- Charles Moreton

0 Helpful

GQ
Cisco Employee
Cisco Employee

‎01-03-2017 09:19 AM

The problem is how do you allow for Contractors using both corporate assets and BYOD devices?  You have to use posture checks for that but the different posture checks can't be used as posture inputs.  meaning

Contractors connect to Tunnel Group 'Contractors'

posture check looks for TG=Contractors + AD Group Contractors...  but now I need two different postures.  one is if it's a Corp asset then patches/AV/etc.  If it's a BYOD device, only need AV.

By using a second ASA, the posture check can now be:

TG=Contractors + AD Group Contractors + ASA=Contractors


versus

TG=Contractors + AD Group Contractors + ASA=Employees


Trust me, the partner, TAC, and myself have looked it every which way.  There just aren't a lot of selectable criteria in the Posture Policy for granular results like the customer wants.


0 Helpful

hslai
Cisco Employee
Cisco Employee

‎01-17-2017 08:47 PM

One of the features in the upcoming ISE release might help. I would suggest to join the ISE beta community, if not already done, to get more details.

0 Helpful
Customers Also Viewed These Support Documents