Configure the AAA config for ISE:
aaa-server ISE protocol radius
authorize-only
dynamic-authorization
aaa-server ISE (Inside) host 172.16.10.101
key {ISE-KEY}
aaa-server ISE (Inside) host 172.16.10.102
key {ISE-KEY}
aaa-server ISE (Inside) host 172.16.20.103
key {ISE-KEY}
Add the ISE Profile:
webvpn enable Outside anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2 anyconnect profiles Umbrella disk0:/OrgInfo.json anyconnect profiles ise_posture disk0:/ise_posture.isp anyconnect profiles remote-cordero disk0:/remote-cordero.xml anyconnect profiles vendors disk0:/vendors.xml anyconnect enable tunnel-group-list enable cache
Configure the Group Policy to use ISE:
group-policy LOGON internal group-policy LOGON attributes banner none wins-server none dns-server value 172.16.30.53 172.16.40.53 vpn-tunnel-protocol ssl-client group-lock value Logon split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunneling default-domain value shriners.cc split-dns value cordero.me msie-proxy method no-modify msie-proxy lockdown disable address-pools value RemoteUsers-VPN-Pool webvpn anyconnect modules value umbrella,iseposture anyconnect profiles value remote-cordero type user anyconnect profiles value Umbrella type umbrella anyconnect profiles value ise_posture type iseposture
In the above policy, I’m also using umbrella!
Configure the Tunnel Group to use ISE:
tunnel-group LOGON type remote-access tunnel-group LOGON general-attributes address-pool RemoteUsers-VPN-Pool authentication-server-group ISE authorization-server-group ISE accounting-server-group ISE default-group-policy LOGON
An ACL needs to be configured for ISE:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! Redirection ACL's tell the ASA which traffic to permit to be redirected to the ISE ! server, triggering the posture assessment. Deny statements should be configured as the first lines, ! specifying the DNS, DHCP, ISE PSN, and ISE PAN servers. These servers will be denied from the ! redirection, allowing for traffic to hit these servers without triggering posture. This is desired to ! prevent a loop in logic, such that traffic to the PSN needs to be redirected, but is redirected continually ! rather than reaching the PSN. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! access-list ISE-REDIRECT extended deny udp any any eq domain access-list ISE-REDIRECT extended deny ip any host 172.16.10.101 access-list ISE-REDIRECT extended deny ip any host 172.16.10.102 access-list ISE-REDIRECT extended deny ip any host 172.16.20.103 access-list ISE-REDIRECT extended deny icmp any any access-list ISE-REDIRECT extended permit tcp any any eq www access-list ISE-REDIRECT extended permit tcp any any eq https access-list Split-Tunneling remark enroll.cisco.com for ISE Posturing access-list Split-Tunneling standard permit host 72.163.1.80