Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4385
Views
35
Helpful
6
Replies

How to do Posture with a 3rd Party VPN solution

Go to solution
bodonogh
Cisco Employee
Cisco Employee

‎04-05-2020 10:31 AM

Hi there,

for a customer with a 3rd party VPN solution in place, are there suggestions in how ISE may be able to provide more than just AAA capabilities?

 

Our customer would like for ISE to be able to check for a registry key, AV installed & Windows update for VPN clients before allowing them on dedicated trusted VLAN inside the VPN concentrator.

 

Looking for pointers in how we might approach this (we're unlikely to migrate them to ASA/Firepower in the short term).

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pavagupt
Cisco Employee
Cisco Employee

‎04-05-2020 10:38 PM

Posture functionality depends on CoA and  url-redirection capabilities. Due to lack of support of CoA functionality and url-redirect in 3rd party vpn devices, posture functionality isn't supported. Make sure vpn devices  does support this  in order to move forward   

View solution in original post

6 Replies 6

Go to solution
pavagupt
Cisco Employee
Cisco Employee

‎04-05-2020 10:38 PM

Posture functionality depends on CoA and  url-redirection capabilities. Due to lack of support of CoA functionality and url-redirect in 3rd party vpn devices, posture functionality isn't supported. Make sure vpn devices  does support this  in order to move forward   

Go to solution
maf_1
Level 1
Level 1

‎10-13-2021 01:57 AM

Foritgate Supports CoA. and it does some sort of URL redirection. What's the possibility in this case?

Go to solution
pavagupt
Cisco Employee
Cisco Employee
In response to maf_1

‎10-13-2021 04:23 AM

in that case, as per earlier thread customer could make use of registry keys, AV installed and windows updates with the help of posture checks before allowing access to VPN users.

Basically, Once the user gets authenticated over VPN -- > gets postured using the posture policies in ISE -- > PSN raises CoA to give authorization as per compliance or non-compliance authz policies.

Go to solution
maf_1
Level 1
Level 1
In response to pavagupt

‎10-13-2021 05:26 AM

that's how it should be theoretically, but what needs to be done on ISE in this regard?

Go to solution
pavagupt
Cisco Employee
Cisco Employee
In response to maf_1

‎10-13-2021 05:34 AM

i am assuming you are talking about configuring Fortigate VPN under ISE. if so, you have to add Foritgate VPN as a Network Access device. Refer "ISE third party vendor support" section under http://cs.co/ise-guides

Then you can create posture/authz policies in ISE as per customer requirement so as to posture VPN endpoints.

Go to solution
maf_1
Level 1
Level 1
In response to pavagupt

‎10-13-2021 05:41 AM

trying to do this: Its for VPN User
User -> Fortiagate -> Fortiauthenticator (Synced with AD for MFA).
Now we have added ISE between this flow.
User -> Fortigate - > Cisco ISE (Synced with AD and Fortiauthenticator Configured as Radius Token) -> Fortiauthenticator (Synced with AD and used for MFA)

 

Authentication is working fine.

Customers Also Viewed These Support Documents