cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

112
Views
0
Helpful
1
Replies
Beginner

AnyConnect and Posture - allowing user ON first then running posture

Hey team

ISE: 2.3

VPN: 4.7

 

Any one aware of possibility of first connecting to the network via VPN as user and have compliant assumed status (meaning user will have full access) THEN start the compliance check (in background) - if it comes back as not compliant, switch the user from full to noncompliant access.

 

Right now when posture is run on VPN you have the posture unknown state which is the REDIRECT ACL on ASA to allow users hit ISE PSNs. I'm wondering if there is a way to not redirect only the module when it needs to talk to the PSN but allow users fully on DURING the posture scan.

 

Thanks!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RJI Advisor
Advisor

Re: AnyConnect and Posture - allowing user ON first then running posture

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

View solution in original post

1 REPLY 1
Highlighted
RJI Advisor
Advisor

Re: AnyConnect and Posture - allowing user ON first then running posture

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here