Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
6
Replies

ASA VPN posture and ISE

Go to solution
devvv85
Level 1
Level 1

‎08-07-2018 06:06 AM

Hi Experts,

 

I am testing ASA VPN posture with ISE. Below are the details and my query:

 

ASA version: 9.8.2.39

ISE version: 2.3 patch 3

 

During testing, I found that the endpoint is getting postured correctly and endpoint is getting final access. However, on live logs I cannot see the final "compliant" policy being hit.

 

On CoA logs, I can see the compliant AuthZ profile being hit. However, actual compliant policy is not seen. 

 

Please see attached file. The test_VPN_profile is the final compliant Authz profile. However, I cannot see the policy.

 

Would appreciate your reply.

 

Preview file
45 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
devvv85
Level 1
Level 1
In response to thomas

‎08-20-2018 12:30 AM

Hi Nidhi/Thomas,

 

Thank you for your help. Worked with TAC and the behavior is expected.

All the attributes are sent in CoA itself, so final compliant policy is not seen.

 

Thanks again!!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jeffrey Jones
Level 5
Level 5

‎08-07-2018 06:44 AM

What version of the anyconnect client are you using?

Are the users connecting ?

Jeff
0 Helpful

Go to solution
devvv85
Level 1
Level 1
In response to Jeffrey Jones

‎08-07-2018 09:16 AM

Hi Jeff,

Yes, users are able to connect without any issue. Everything is working fine. 

It is just that after the CoA log, I cannot see final compliant policy in live logs. Not sure if this is expected behavior.

 

I am using 4.5.04029 AnyConnect version.

 

Thanks!

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to devvv85

‎08-10-2018 05:48 AM

The live logs and live sessions should show the compliant policy hit. 

If everything is configured correctly and you also see the dACL applied in switch, need to look at the detail debug logs to check if anything is missing. Please work with TAC to debug this. 

 

Thanks,

Nidhi

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to devvv85

‎08-10-2018 05:48 AM

The live logs and live sessions should show the compliant policy hit. 

If everything is configured correctly and you also see the dACL applied in switch, need to look at the detail debug logs to check if anything is missing. Please work with TAC to debug this. 

 

Thanks,

Nidhi

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-09-2018 04:08 PM

Try following this guide and see if you missed any steps:

0 Helpful

Go to solution
devvv85
Level 1
Level 1
In response to thomas

‎08-20-2018 12:30 AM

Hi Nidhi/Thomas,

 

Thank you for your help. Worked with TAC and the behavior is expected.

All the attributes are sent in CoA itself, so final compliant policy is not seen.

 

Thanks again!!

0 Helpful
Customers Also Viewed These Support Documents