Using Cisco ISE - Inline Posture Node in Bridged or Routed mode?

marioderosa2008 · ‎12-12-2011

Hi all,

if this post is in the wrong forum, then please let me know and I will move it to the correct forum.

I am intending in using a Cisco ISE Inline Posture Node for our VPN clients coming in through our ASA device. I'd like to know whether any functionality is lost when using the Inline Posture Node as a L3 routed device or a L2 Bridged device.

My preferred method, as i understand it, would be to go L2 mode so that I do not have to change any Network Addressing and the device and sit "InlIne" on my VLANs.

Any information on this would be grateful.

Thanks

Mario

Tarik Admani · ‎12-15-2011

It all depends on your setup, for L2 mode you will have to assign a vlan to your clients that come in on a specific group policy and that vlan must be the vlan that terminates on the untrusted interface of your ipep. From there the vlan mapping occurs taking those vpn clients from that GP vlan to a production vlan where they are routed through what ever access that are permitted in your authorization policies.

Basically we woudl have users from 10.x.x.x network to map to a vlan 10 on the ASA group policy, from there the actual routable vlan is 100 so from the ipep (posture node) we will setup the vlan mapping so that all traffic is forced through the ipep and through you production network.

Thanks,

Tarik Admani

marioderosa2008 · ‎05-09-2012

Hi Tarik,

i know that it has been a while. We are going to be doing a Proof Of Concept with the ISE next week and I was wondering whether there are any recommended guides for setting up the ISE with the ASA for inline posturing and profiling of VPN clients?

Thanks

Mario