Re: External group policies in ISE + Posture + CoA

Antonio Macia · ‎07-24-2018

Hi there,

I've implemented a remote access VPN with AnyConnect and applied posture. The ASA group policy is configured in ISE (external group policy). As you may know, when using external group policies it is necessary to create a local user in ISE matching the group policy name since the ASA uses that name for authenticating with ISE. After that, the enduser is also authenticated with his/her credentials.

The problem comes with CoA. When ISE triggers a change of authorization, ONLY the group policy user get kicked off, while the end user still authenticated and the new authorization rule doesn't apply to him. Anyone know how to sort this out?

If I run a "sh vpn-sessiondb anyconnect" the sessionid is shared by both, the enduser and group policy user, so I expected that both users get disconnected when the ASA receives the CoA packet referring to that sessionid, but it does not occur.

Ideas?

Thanks!

thomas · ‎07-24-2018

Please read https://community.cisco.com/t5/security-documents/how-to-configure-posture-with-anyconnect-compliance-module-and/ta-p/3647768 and see if that has what you need to configure it.

Antonio Macia · ‎07-25-2018

Hello,

In my case posture is working fine. My problem is the combination of the user employed for external policy authentication plus the authenticated enduser when CoA is triggered.

Regards.

hslai · ‎07-25-2018

Please try it with an internal group-policy, as in the link Thomas pointed to, instead, as ISE posture use cases are common implemented that way.

The external group policies are probably for those not using CoA support for ISE posture.

Antonio Macia · ‎07-25-2018

Thanks hslai,

I'll do it in that way.