I have the following setup for the VPN inline posturing:
VPN Users ----- ASA ----- ISE (ipep) ------ Core SW
On the ASA, I have 2 tunnel-groups, the 1st one uses the ISE as radius server, and the 2nd one is using local authentication, and they are sharing the same IP pool (ASA inside interface subnet).
When the users connect to tunnel-group with ISE, all is working fine, the NAC agent installed and users can access internal resources.
When any user connects to tunnel-group without ISE, he cannot access any internal resources, even that the routing and everything is configured.
The filter configuration here is only applied to ASA inside interface, when I add all the subnet to the filter configuration, we can access the inside VLANs but without we cannot.
Is this means that I do bypass posture assessment for all the traffic from this pool (with and without ISE)? or I need to have 2 seperate pools for that? The filter configuration is not that clear in this setup.
For certain devices, you may want to bypass authentication, posture assessment, role assignment, or any combination thereof. Common examples of bypassed device types include printers, IP phones, servers, nonclient machines, and network devices.
Inline Posture matches the MAC, MAC and IP, or subnet address to determine whether the bypass function is enabled for a device. You can choose to bypass policy enforcement or to forcibly block access.
Caution Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP address, VPN clients are allowed to bypass policy enforcement. This bypass happens because the VPN is a Layer 3 hop for clients, and the device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node.
I have two pools for users. One pool (192.168.0.0/22) is intended for laptops with anyconnect authenticated by ISE (Internal – further would be AD). The second pool (192.168.4.0/22) is intended for mobile devices (smartphones and iDevices); authenticated by ASA certificates and bypassed in the IPN.
On the first tests, the laptops can be authenticated by ISE Internal DB, but users can’t access internal resources.
I think the problem may be originating in something extraneous I saw in the IPN routing table. On the GUI the route for 192.168.0.0/22 has the ASA interface as default gateway, but on the CLI the same route appears to not have default gateway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :