Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN device profiling issue ISE In Line with ASA

Hi all,

We have an inline posture ISE which is acting as a radius server for authenticating VPN client through our ASA.

However because VPN client do not send thier MAC like they do when wireless and wired clients, the ISE cannot profile based on MAC as it dOes by default.

Has anyone come accross this issue and have another way of profiling VPN devices?

Thanks

Mario

3 REPLIES

VPN device profiling issue ISE In Line with ASA

One way to do accomplish this is to setup a span port for the clients vlan that they are coming in from, from that point ISE will be able to profile devices based on their user agent strings.

Hope that helps.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

VPN device profiling issue ISE In Line with ASA

New Member

VPN device profiling issue ISE In Line with ASA

If you're using inline posture, it means that you also use NAC Agent and a posture redirect.

You don't have to setup a span port for user agent string because by the means of the redirect ACL ISE will find it anyway.

Moreover, you can use NAC Agent to verify certain OS parameters to figure out what kind of device is used when doing RA VPN.

336
Views
15
Helpful
3
Replies