08-08-2019 09:29 PM
Solved! Go to Solution.
08-09-2019 12:34 AM
Hi,
Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.
ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.
If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.
No you don't need Hostscan.
HTH
08-09-2019 12:34 AM
Hi,
Upon first connection the user's computer will be in a posture unknown state, the user will be authenticated and authorized and received an IP address from the VPN Pool. Normally you would restrict access by using a DACL (providing access to ISE, ICMP and DNS) in order for the posture checks to be run. Upon successful posturing, the state would change to compliant at which point a CoA (change of authorization) is sent and the user is re-authorized, providing full access.
ISE Posturing can check for Anti-Virus, Anti-Malware, OS, Hotfix, Personal Firewall etc. If posturing is sucessful then full access is granted, if un-sucessful the device can be quarantined, restricting access.
If you want only your domain computers to connect to the VPN, then you can use double authentication on the FW (I assume ASA). You can user certificates issued from your Internal CA (which only your domain computers trust) for the first authentication, this will be mutually authenticated between the VPN client and the ASA. The 2nd authentication will be RADIUS to ISE.
No you don't need Hostscan.
HTH
08-09-2019 02:44 AM
Hi RJI,
Thank you for your help.
Can you help me in regarding clearing my doubts on below
What kind of Authentication and Authorization will be when a user in a posture unknown state, if that fails user still receive a IP Address from VPN pool and then again authentication & authorization run and then further posture check.
Can i skip CA certificate authentication for my domain users to connect anyconnect vpn from outside, if not can i use self signed certificate for same.
Please help.
08-09-2019 02:53 AM
Hi,
The user must fully authenticate using whatever method you configured, upon first connection every users posture state will be unknown until the posture scan is run and then the state will change to either non-compliant or compliant.
There will be 3 ISE authorization rules:- unknown, non-compliant and compliant, these refer to the posture states. Here is ISE VPN Configuration guide.
You don't need to have the certificate authentication, it could be used to determine whether the computer has a valid certificate. You could check a registry setting on ISE to determine whether the computer is joined to an AD domain instead. Self certificates is possible, but not scalable.
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: