Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

Anyconnect Vpn using ISE Posture

Go to solution
Netplace Support
Level 1
Level 1

‎08-08-2019 09:29 PM

Hi All, I want to setup anyconnect Vpn using ISE posture, as I'm doing this for first time I need help on some below points. 1) Will my User connecting anyconnect Vpn from Outside get IP address from Vpn pool first, and then authentication, authorization and all required roles or posturing will be done to authorize end user machine to be complaint or not. 2) What are the posturing will ISE do example, will it checks Users machine having updated Windows version, patch & antivirus and then authorize it to provide full access/corporate network access. 3) Will I required any kind of specific Certificate as I want my only my domain based users able to connect to anyconnect Vpn from Outside. 4) Will I required Hotscan iOS also required in my case, or ISE posturing will make it work.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-09-2019 12:34 AM

Hi,

Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.

 

ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.

 

If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.

 

No you don't need Hostscan.

 

HTH

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-09-2019 12:34 AM

Hi,

Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.

 

ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.

 

If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.

 

No you don't need Hostscan.

 

HTH

0 Helpful

Go to solution
Netplace Support
Level 1
Level 1
In response to Rob Ingram

‎08-09-2019 02:44 AM

Hi RJI,

 

Thank you for your help.

 

Can you help me in regarding clearing my doubts on below

What kind of Authentication and Authorization will be when a user in a posture unknown state, if that fails user still receive a IP Address from VPN pool and then again authentication & authorization run and then further posture check.

 

Can i skip CA certificate authentication for my domain users to connect anyconnect vpn from outside, if not can i use self signed certificate for same.

 

Please help.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Netplace Support

‎08-09-2019 02:53 AM

Hi,

The user must fully authenticate using whatever method you configured, upon first connection every users posture state will be unknown until the posture scan is run and then the state will change to either non-compliant or compliant.

 

There will be 3 ISE authorization rules:- unknown, non-compliant and compliant, these refer to the posture states. Here is ISE VPN Configuration guide.

 

You don't need to have the certificate authentication, it could be used to determine whether the computer has a valid certificate. You could check a registry setting on ISE to determine whether the computer is joined to an AD domain instead. Self certificates is possible, but not scalable.

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents