cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1343
Views
0
Helpful
4
Replies

Remote Access VPN posturing with Cisco ISE 1.1.1

marioderosa2008
Level 1
Level 1

Hi all,

we would like to start using our ISE for Remote VPN access.

We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.

That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.

I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?

We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.

I know ISR's are support NADs but what about ASRs? There is no mention.

Any advise will be appreciated!

Mario

4 Replies 4

marioderosa2008
Level 1
Level 1

If anyone has setup the ISE to authenticate and posture Remote Access VPN clients I would be very interested in knowing how you achieved this.

The statement below is actually incorrect... "We got the authentication working however posturing of the client did not work."

It was actually the other way around. Posturing worked fine but there was a limitation with the Inline Posture Node handling Certificate Authentication.

Does anyone know if Certificate Authentication with Inline Posture and ASA is working fine now?

Mario

marioderosa2008
Level 1
Level 1

OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.

thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?

essentially my requirements are

2-factor authentication VPN using a Certificate & RSA Token

Posturing of the VPN endpoint.

Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.

Can anyone help?

Mario

marioderosa2008
Level 1
Level 1

I have moved the discussion to the VPN forum incase this query is too VPN specific.

alicaparker986
Level 1
Level 1

The Cisco ISE can be used for both authenticating and posturing remote access VPN clients. A design document detailing the implementation of ISE for this purpose can be found in the Cisco ISE documentation.

Regarding version 9 of the Cisco ASA code, it eliminates the need for Inline Posture by integrating posture assessment into the VPN client. This should allow for posturing without any additional configuration.

Regarding VPN licensing for Cisco ASRs, the number of VPN licenses depends on the specific model and software version of the ASR. It is recommended to check the datasheet or product specifications for each specific model to determine the number of VPN licenses included.

As for support for NADs on ISRs and ASRs, NADs are supported on ISRs but not explicitly mentioned for ASRs. It is recommended to check the specific product specifications or consult with a Cisco representative for more information on NAD support on ASRs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: