04-05-2020 10:31 AM
Hi there,
for a customer with a 3rd party VPN solution in place, are there suggestions in how ISE may be able to provide more than just AAA capabilities?
Our customer would like for ISE to be able to check for a registry key, AV installed & Windows update for VPN clients before allowing them on dedicated trusted VLAN inside the VPN concentrator.
Looking for pointers in how we might approach this (we're unlikely to migrate them to ASA/Firepower in the short term).
Brian
Solved! Go to Solution.
04-05-2020 10:38 PM
Posture functionality depends on CoA and url-redirection capabilities. Due to lack of support of CoA functionality and url-redirect in 3rd party vpn devices, posture functionality isn't supported. Make sure vpn devices does support this in order to move forward
04-05-2020 10:38 PM
Posture functionality depends on CoA and url-redirection capabilities. Due to lack of support of CoA functionality and url-redirect in 3rd party vpn devices, posture functionality isn't supported. Make sure vpn devices does support this in order to move forward
10-13-2021 01:57 AM
Foritgate Supports CoA. and it does some sort of URL redirection. What's the possibility in this case?
10-13-2021 04:23 AM
in that case, as per earlier thread customer could make use of registry keys, AV installed and windows updates with the help of posture checks before allowing access to VPN users.
Basically, Once the user gets authenticated over VPN -- > gets postured using the posture policies in ISE -- > PSN raises CoA to give authorization as per compliance or non-compliance authz policies.
10-13-2021 05:26 AM
that's how it should be theoretically, but what needs to be done on ISE in this regard?
10-13-2021 05:34 AM
i am assuming you are talking about configuring Fortigate VPN under ISE. if so, you have to add Foritgate VPN as a Network Access device. Refer "ISE third party vendor support" section under http://cs.co/ise-guides.
Then you can create posture/authz policies in ISE as per customer requirement so as to posture VPN endpoints.
10-13-2021 05:41 AM
trying to do this: Its for VPN User
User -> Fortiagate -> Fortiauthenticator (Synced with AD for MFA).
Now we have added ISE between this flow.
User -> Fortigate - > Cisco ISE (Synced with AD and Fortiauthenticator Configured as Radius Token) -> Fortiauthenticator (Synced with AD and used for MFA)
Authentication is working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide