cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
152
Views
0
Helpful
3
Replies

Anyconnect Vpn using ISE Posture

Hi All, I want to setup anyconnect Vpn using ISE posture, as I'm doing this for first time I need help on some below points. 1) Will my User connecting anyconnect Vpn from Outside get IP address from Vpn pool first, and then authentication, authorization and all required roles or posturing will be done to authorize end user machine to be complaint or not. 2) What are the posturing will ISE do example, will it checks Users machine having updated Windows version, patch & antivirus and then authorize it to provide full access/corporate network access. 3) Will I required any kind of specific Certificate as I want my only my domain based users able to connect to anyconnect Vpn from Outside. 4) Will I required Hotscan iOS also required in my case, or ISE posturing will make it work.
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Anyconnect Vpn using ISE Posture

Hi,

Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.

 

ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.

 

If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.

 

No you don't need Hostscan.

 

HTH

3 REPLIES 3
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Anyconnect Vpn using ISE Posture

Hi,

Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.

 

ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.

 

If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.

 

No you don't need Hostscan.

 

HTH

Re: Anyconnect Vpn using ISE Posture

Hi RJI,

 

Thank you for your help.

 

Can you help me in regarding clearing my doubts on below

What kind of Authentication and Authorization will be when a user in a posture unknown state, if that fails user still receive a IP Address from VPN pool and then again authentication & authorization run and then further posture check.

 

Can i skip CA certificate authentication for my domain users to connect anyconnect vpn from outside, if not can i use self signed certificate for same.

 

Please help.

Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Anyconnect Vpn using ISE Posture

Hi,

The user must fully authenticate using whatever method you configured, upon first connection every users posture state will be unknown until the posture scan is run and then the state will change to either non-compliant or compliant.

 

There will be 3 ISE authorization rules:- unknown, non-compliant and compliant, these refer to the posture states. Here is ISE VPN Configuration guide.

 

You don't need to have the certificate authentication, it could be used to determine whether the computer has a valid certificate. You could check a registry setting on ISE to determine whether the computer is joined to an AD domain instead. Self certificates is possible, but not scalable.

 

HTH