cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
5
Helpful
3
Replies

Dynamic Access Policy Selection changes after device posturing by ISE

Ryders
Level 1
Level 1

I have cisco ISE setup to posture endpoints that connect to our VPN. I setup a separate Dynamic Access Policy (DAP) and connection profile for testing this. Now that it is working, I want to move adjust our current users DAP & connection profile (we have one for all users) to allow posturing. When I make a change to the connection profile's authentication AAA server under the basic tab and switch it to ISE, my endpoint will posture, but once it does, it selects the default profile which terminates the connection. My question is why is a change in posture status causing a different DAP to be selected? From the logs it looks like after posturing the endpoint returns significantly less info.

ASA 5525-x on 9.14(4)15
ISE 2.7 patches 3,5,6,7
anyconnect 4.10.04065

1 Accepted Solution
3 Replies 3

Ryders
Level 1
Level 1

I found that after the first round of posturing is done, ISE (I think) sends back (or loses the extra info) way less info than the ASA initially collects after the Hostscan. I had an endpoint OS requirement that wasn't getting sent back after posturing compliant. I removed the requirement to test and it connected successfully. I would like to be able to deny connections based on the OS type and also hopefully an AD Group membership. It seems like I can send some info back to the ASA through the ISE authorization profile in the advanced attribute section. I will post again if I figure it out. If anyone has any advice on this I would greatly appreciate your input.

 

Right now the DAP requires a certain Tunnel Group and Group Policy. Both of which get returned when postured unknown and compliant.

Ryders
Level 1
Level 1

We are running both hostscan and ISE and that was the issue. The host scan was only running once and ISE wasn't resending that info after the first posture check. I have the authorization policies checking requirements now instead of Dynamic Access Policies. Thank you for the advice Rob.