Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
1
Replies

AnyConnect and Posture - allowing user ON first then running posture

Go to solution
MS-JK
Level 1
Level 1

‎01-13-2020 11:33 PM - edited ‎02-21-2020 09:50 PM

Hey team

ISE: 2.3

VPN: 4.7

 

Any one aware of possibility of first connecting to the network via VPN as user and have compliant assumed status (meaning user will have full access) THEN start the compliance check (in background) - if it comes back as not compliant, switch the user from full to noncompliant access.

 

Right now when posture is run on VPN you have the posture unknown state which is the REDIRECT ACL on ASA to allow users hit ISE PSNs. I'm wondering if there is a way to not redirect only the module when it needs to talk to the PSN but allow users fully on DURING the posture scan.

 

Thanks!

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-14-2020 01:30 AM

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎01-14-2020 01:30 AM

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents