10-02-2024 09:39 AM
Hello,
I'm working on a POC around posture, and we are using ISE for that.
Basically we would like to have a dedicated subnet for non-compliant endpoints, another one for compliant endpoints.
Now, when secure client connects the VPN, ISE sends the group policy for unknown-compliant devices. The client get the DHCP pool associated to the group policy, acquires an IP address, contact ISE and get the list of the things to check to be compliant.
After getting a verdict, lets say we are now compliant, ISE sends COA to ASA to apply new group policy and get more access. At this point we would like the secure client to obtain another IP address from the new group policy that contains another DHCP config.
Is there any way this could be feasible ?
So far, the COA is sent with another group policy, but this is not taken into account. the "show vpn-sessiondb anyconnect filter name username" command indicates that I'm still using the initial group policy, with no IP change.
10-02-2024 10:16 AM - edited 10-02-2024 10:35 AM
@Kalipso unfortunately you cannot change the group-policy after connecting to a tunnel-group being assigned a group-policy, you can only send a DACL, ACL or SGT via a COA update.
So you should apply either a DACL, ACL or SGT to the noncompliant/unknown devices limiting there access.
10-02-2024 10:19 AM
Check this' you can make ISE push group-policy to asa.
MHM
10-03-2024 12:55 AM - edited 10-03-2024 01:44 AM
Hello @MHM Cisco World,
yes sending group policy is ok during authentication/authorization phase.
I confirm ACL and SGT work with COA.
Sending another group policy is just not working with COA as @Rob Ingram mentioned.
10-03-2024 02:15 AM
Then use dacl to block specific range of IP from subnet
I. E. Let say dhcp assign IP from subnet 10.0.0.0/24
Use dacl to deny 10.0.0.0/25 for groupA
Use dacl to deny 10.0.0.64/25 for groupB
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide