Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4182
Views
0
Helpful
4
Replies

Cisco ISE posture check for VPN

Go to solution
Marcus Peck
Level 1
Level 1

‎04-05-2015 09:10 PM - edited ‎03-10-2019 10:36 PM

Hello community,

 

first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 

 

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎04-06-2015 04:24 AM

The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.

The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

View solution in original post

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎04-14-2015 02:05 AM

ISE will not be able to perform posture with out agent

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎04-06-2015 04:24 AM

The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.

The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to mohanak

‎04-13-2015 06:59 PM

Hi Mohanak,

 

thank you for your reply. I have just got an update on the requirement and the VPN is connected site-to-site without Anyconnect and it will be always connected, it is performed on the router level. The remote machine is a virtual desktop and once the VPN session is over, the vDT will be deleted and a new vDT will be created when a VPN session from the endpoint is established. Without the Anyconnect agent, will ISE be able to perform posture checks on such requirement?

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to Marcus Peck

‎04-14-2015 02:05 AM

ISE will not be able to perform posture with out agent

0 Helpful

Go to solution
Marcus Peck
Level 1
Level 1
In response to mohanak

‎04-27-2015 06:24 PM

Hi Mohanak,

 

If the VPN is a site-to-site tunnel with each end terminating to a VPN concentrator, and this VPN concentrator is connected to an ASA, how then would ISE be able to perform posture checks?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents