cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1949
Views
0
Helpful
4
Replies
Beginner

Cisco ISE posture check for VPN

Hello community,

 

first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 

 

Thank you!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

The Cisco ASA Version 9.2.1

The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.

The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Cisco Employee

ISE will not be able to

ISE will not be able to perform posture with out agent

4 REPLIES 4
Cisco Employee

The Cisco ASA Version 9.2.1

The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.

The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

Beginner

Hi Mohanak, thank you for

Hi Mohanak,

 

thank you for your reply. I have just got an update on the requirement and the VPN is connected site-to-site without Anyconnect and it will be always connected, it is performed on the router level. The remote machine is a virtual desktop and once the VPN session is over, the vDT will be deleted and a new vDT will be created when a VPN session from the endpoint is established. Without the Anyconnect agent, will ISE be able to perform posture checks on such requirement?

Cisco Employee

ISE will not be able to

ISE will not be able to perform posture with out agent

Beginner

Hi Mohanak, If the VPN is a

Hi Mohanak,

 

If the VPN is a site-to-site tunnel with each end terminating to a VPN concentrator, and this VPN concentrator is connected to an ASA, how then would ISE be able to perform posture checks?