Solved: Re: Cisco AnyConnect VPN question

tinhnho123 · ‎02-04-2021

Hi Guys,

We have Cisco FTD/FMC AnyConnect VPN up and running for 150 full-time staff for over a year, the staff have company's laptops, these laptops are fully joined the company's AD domain and fully windows patched and also have anti-virus installed monthly if not weekly.

We just hired 20 contractors, the contractors don't have company laptops but they have their own laptops and need access to our AnyConnect VPN. We'd like to give them access to our VPN but we need to make sure their laptops meet our security requirement (windows patches, anti-virus, anti-malware software installed...etc.) otherwise they will get denied access. Are there ways that Cisco AnyConnect VPN can check the end hosts for security requirements before authentication happened?

Thanks.

Rob Ingram · ‎02-04-2021

@tinhnho123

No natively in FMC, currently the only option is using Cisco ISE as well for authorization and posturing.

The users would connect to the VPN in a posture unknown state with limited access, posture checks would be run to determine (patches, AV, AM, registry values etc) and if compliant granted full/additional access to the network.

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

View solution in original post

Rob Ingram · ‎02-04-2021

@tinhnho123

No natively in FMC, currently the only option is using Cisco ISE as well for authorization and posturing.

The users would connect to the VPN in a posture unknown state with limited access, posture checks would be run to determine (patches, AV, AM, registry values etc) and if compliant granted full/additional access to the network.

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

tinhnho123 · ‎02-05-2021

@Rob Ingram Thanks sir!