Cisco ASA ISE Posturing Config


Configure the AAA config for ISE:

aaa-server ISE protocol radius
 authorize-only
 dynamic-authorization
aaa-server ISE (Inside) host 172.16.10.101
 key {ISE-KEY}
aaa-server ISE (Inside) host 172.16.10.102
 key {ISE-KEY}
aaa-server ISE (Inside) host 172.16.20.103
 key {ISE-KEY}

Add the ISE Profile:

webvpn
 enable Outside
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles Umbrella disk0:/OrgInfo.json
 anyconnect profiles ise_posture disk0:/ise_posture.isp
 anyconnect profiles remote-cordero disk0:/remote-cordero.xml
 anyconnect profiles vendors disk0:/vendors.xml
 anyconnect enable
 tunnel-group-list enable
 cache

Configure the Group Policy to use ISE:

group-policy LOGON internal
group-policy LOGON attributes
 banner none
 wins-server none
 dns-server value 172.16.30.53 172.16.40.53
 vpn-tunnel-protocol ssl-client 
 group-lock value Logon
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunneling
 default-domain value shriners.cc
 split-dns value cordero.me
 msie-proxy method no-modify
 msie-proxy lockdown disable
 address-pools value RemoteUsers-VPN-Pool
 webvpn
  anyconnect modules value umbrella,iseposture
  anyconnect profiles value remote-cordero type user
  anyconnect profiles value Umbrella type umbrella
  anyconnect profiles value ise_posture type iseposture

In the above policy, I’m also using umbrella!

Configure the Tunnel Group to use ISE:

tunnel-group LOGON type remote-access
tunnel-group LOGON general-attributes
 address-pool RemoteUsers-VPN-Pool
 authentication-server-group ISE
 authorization-server-group ISE
 accounting-server-group ISE
 default-group-policy LOGON

An ACL needs to be configured for ISE:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Redirection ACL's tell the ASA which traffic to permit to be redirected to the ISE
! server, triggering the posture assessment.  Deny statements should be configured as the first lines,
! specifying the DNS, DHCP, ISE PSN, and ISE PAN servers.  These servers will be denied from the
! redirection, allowing for traffic to hit these servers without triggering posture.  This is desired to
! prevent a loop in logic, such that traffic to the PSN needs to be redirected, but is redirected continually
! rather than reaching the PSN.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
access-list ISE-REDIRECT extended deny udp any any eq domain 
access-list ISE-REDIRECT extended deny ip any host 172.16.10.101
access-list ISE-REDIRECT extended deny ip any host 172.16.10.102
access-list ISE-REDIRECT extended deny ip any host 172.16.20.103
access-list ISE-REDIRECT extended deny icmp any any 
access-list ISE-REDIRECT extended permit tcp any any eq www 
access-list ISE-REDIRECT extended permit tcp any any eq https

access-list Split-Tunneling remark enroll.cisco.com for ISE Posturing
access-list Split-Tunneling standard permit host 72.163.1.80 
More Stories
AD Replication Internally vs Site-to-Site