Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE inline VPN Posture

Hi,

I have the following setup for the VPN inline posturing:

VPN Users ----- ASA ----- ISE (ipep) ------ Core SW

On the ASA, I have 2 tunnel-groups, the 1st one uses the ISE as radius server, and the 2nd one is using local authentication, and they are sharing the same IP pool (ASA inside interface subnet).

When the users connect to tunnel-group with ISE, all is working fine, the NAC agent installed and users can access internal resources.

When any user connects to tunnel-group without ISE, he cannot access any internal resources, even that the routing and everything is configured.

The filter configuration here is only applied to ASA inside interface, when I add all the subnet to the filter configuration, we can access the inside VLANs but without we cannot.

Is this means that I do bypass posture assessment for all the traffic from this pool (with and without ISE)? or I need to have 2 seperate pools for that? The filter configuration is not that clear in this setup.

Thanks.

Ahmad.

5 REPLIES

ISE inline VPN Posture

ISE inline VPN Posture

For  certain devices, you may want to bypass authentication, posture  assessment, role assignment, or any combination thereof. Common examples  of bypassed device types include printers, IP phones, servers,  nonclient machines, and network devices.

Inline Posture matches the MAC, MAC and IP, or subnet address to determine whether the bypass function is enabled for a device. You can choose to bypass policy enforcement or to forcibly block access.


Caution Do not configure the MAC address in a MAC filter for a directly connected ASA VPN device without also entering the IP address. Without the addition of the optional IP  address, VPN clients are allowed to bypass policy enforcement. This  bypass happens because the VPN is a Layer 3 hop for clients, and the  device uses its own MAC address as the source address to send packets along the network toward the Inline Posture node.
New Member

I have a similar scenario:VPN

I have a similar scenario:

VPN users ----- ASA ----- ISE-ipep (HA) ----- Core SW

I have two pools for users. One pool (192.168.0.0/22) is intended for laptops with anyconnect authenticated by ISE (Internal – further would be AD). The second pool (192.168.4.0/22) is intended for mobile devices (smartphones and iDevices); authenticated by ASA certificates and bypassed in the IPN.

On the first tests, the laptops can be authenticated by ISE Internal DB, but users can’t access internal resources.

I think the problem may be originating in something extraneous I saw in the IPN routing table. On the GUI the route for 192.168.0.0/22 has the ASA interface as default gateway, but on the CLI the same route appears to not have default gateway.

I will appreciate any assistance.

Regards.

Daniel Escalante

New Member

Hi,I solved this issue by

Hi,

I solved this issue by splitting the ip pool (/24) to 2 * (/25) subnets, and assign each pool to a different tunnel-group.

On the ISE IPEP node, I did filter for the non-secure pool (non-secure tunnel-group) so the ISE will only pass this traffic without applying any policy on it.

I did that using the filters, and ensure that the routing us correct on the Core SW.

 

The filter configuration is for the IP addresses, not MAC address.

I cannot remember the command on the pep CLI itself, that you can show the filters.

The idea that you need the traffic to pass through the IPEP without posturing, so you need to have split traffic, and apply filters.

 

In case you need more help, you're welcome to ask.

 

Thanks.

Ahmad.

Silver

kindly check the link for

kindly check the link for step by step config for Inline.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115724-vpn-inpost-asa-00.html

335
Views
0
Helpful
5
Replies
CreatePlease to create content