Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
221
Views
2
Helpful
4
Replies

Can ASA receive COA to make SecureClient change its VPN IP

Kalipso
Level 1
Level 1

‎10-02-2024 09:39 AM

Hello, 

I'm working on a POC around posture, and we are using ISE for that.

Basically we would like to have a dedicated subnet for non-compliant endpoints, another one for compliant endpoints.

Now, when secure client connects the VPN, ISE sends the group policy for unknown-compliant devices. The client get the DHCP pool associated to the group policy, acquires an IP address, contact ISE and get the list of the things to check to be compliant. 

After getting a verdict, lets say we are now compliant, ISE sends COA to ASA to apply new group policy and get more access. At this point we would like the secure client to obtain another IP address from the new group policy that contains another DHCP config.

Is there any way this could be feasible ?

So far, the COA is sent with another group policy, but this is not taken into account. the "show vpn-sessiondb anyconnect filter name username" command indicates that I'm still using the initial group policy, with no IP change. 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎10-02-2024 10:16 AM - edited ‎10-02-2024 10:35 AM

@Kalipso unfortunately you cannot change the group-policy after connecting to a tunnel-group being assigned a group-policy, you can only send a DACL, ACL or SGT via a COA update.

So you should apply either a DACL, ACL or SGT to the noncompliant/unknown devices limiting there access.

Kalipso
Level 1
Level 1
In response to MHM Cisco World

‎10-03-2024 12:55 AM - edited ‎10-03-2024 01:44 AM

Hello @MHM Cisco World

yes sending group policy is ok during authentication/authorization phase.

I confirm ACL and SGT work with COA.

Sending another group policy is just not working with COA as @Rob Ingram mentioned. 

MHM Cisco World
VIP
VIP
In response to Kalipso

‎10-03-2024 02:15 AM

Then use dacl to block specific range of IP from subnet 

I. E. Let say dhcp assign IP from subnet 10.0.0.0/24

Use dacl to deny 10.0.0.0/25 for groupA

Use dacl to deny 10.0.0.64/25 for groupB

MHM

0 Helpful
Customers Also Viewed These Support Documents