cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
203
Views
0
Helpful
1
Replies
MS-JK
Beginner

AnyConnect and Posture - allowing user ON first then running posture

Hey team

ISE: 2.3

VPN: 4.7

 

Any one aware of possibility of first connecting to the network via VPN as user and have compliant assumed status (meaning user will have full access) THEN start the compliance check (in background) - if it comes back as not compliant, switch the user from full to noncompliant access.

 

Right now when posture is run on VPN you have the posture unknown state which is the REDIRECT ACL on ASA to allow users hit ISE PSNs. I'm wondering if there is a way to not redirect only the module when it needs to talk to the PSN but allow users fully on DURING the posture scan.

 

Thanks!

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

View solution in original post

1 REPLY 1
Rob Ingram
VIP Mentor

Hi,

If you use the ISE Posture Post 2.2 configuration, as per this guide. This relies on the ISE Posture profile already being deployed to the end computer with the call home list configured. The user could connect with full access, run posture and then apply a DACL depending on the output of the scan.

 

HTH

View solution in original post

Content for Community-Ad

This widget could not be displayed.