ISE Profiling options for VPN clients

I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
Sent from Cisco Technical Support Android App

Similar Messages

  • Profile option for online tax declaration and payslip.

    Hi,
    any body help on setting the profile options for online tax declaration and online payslip for india localization.
    Regards,
    krishna

    You should be able to find this out from the sshr implementation guide. it lists all the options by the function.
    Regards
    VS

  • Profile Option for deleting a person

    Hi
    I am looking for the name f profile option, which shout be set up to enale suer to delete personal record.
    The menu is under Super HRMS Manager: total comp distribution Delete Personal Record
    Thx

    Pl post details of your OS, EBS and HR RUP versions. AFAIK, there is no profile option for this. See MOS Doc 143707.1 (How to Delete an Employee's Personal Record?)
    HTH
    Srini

  • How to configure router to use ip pool on the aaa server for vpn clients

    how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
    sebastan

    Hello Sebastan,
    what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
    Regards,
    GNT

  • Reserved ip address for vpn client ?

    I need to find a way to have the 10.8 server vpn service   give the same ip address when a vpn client connects, is this possible?
    By default, every time a client connects, then disconnects and connects again they will get the next incremental ip address in the ip address pool set in the vpn server configuration

    If you eliminate the pool and use just one IP address, technically that should work however, only one client at a time can connect to the VPN server. Would that work for you?

  • Need profile option for determining DateTime format in Oracle Forms

    Hello All,
    I also have requirement where I need to read the date format in which Oracle Forms displays date values.
    As per updates to [this thread|https://forums.oracle.com/forums/thread.jspa?messageID=10285119] , I just need to read the profile option "ICX: Date format mask" ("ICX_DATE_FORMAT_MASK"), and reformat the date value to my required target format.
    This is good for the date type of fields. But what about the profile option that determines "datetime" formats in Oracle Forms ?
    Appreciate any help.
    Thanks
    Bhaskar

    Are you linking the host script to fndcpesr? E.g.:
    Host script defined with prog extension:
    XXSCRIPT.prog
    Move it to relevant dir:
    $XX_TOP/bin
    Create a soft link to fndcpesr
    ln -s $FND_TOP/bin/fndcpesr XXSCRIPT

  • Oracle Apps Profile Options for Disco 9iv2

    What profile options and values need to be set for Oracle Apps, 11.5.9 using Discoverer 9iAS V2?

    Check ML Note 105292.1 for tracing options specific to the HR module
    Srini Chavali

  • DNS permission denied for vpn clients?

    I have an x-serve setup to allow a client access remotely to a local network via VPN. I'm currently having an issue with the DNS server however, which is not allowing me to do lookups when connected via the VPN:
    client 10.0.0.130#59551: view com.apple.ServerAdmin.DNS.public: error sending response: permission denied
    The DNS server resolves perfectly fine for physical machines on the local network.

    Have you added the range of VPN-assigned addresses to the list of clients the DNS server will respond to?
    Server Admin -> (server) -> DNS -> Settings -> Accept recursive queries from the following networks
    This will have to include the VPN client address range in order for the DNS server to respond to their queries.

  • What TCP/UDP ports need to be open for VPN Client version 4.8?

    What TCP/UDP ports need to be open for Cisco VPN Client version 4.8 to work?
    Thanks,

    Normally, you need the following ports and protocol :
    UDP 500
    UDP 4500
    ESP
    In case, you are using IPSec over TCP you have to open, TCP port 10000 or any other port you want to use for IPSec connections (Its configurable).
    -Kanishka

  • NAC for VPN clients

    Hi everyone,
    does somebody knows how to configure a pix/asa and/or a router to do admission control for the vpn clients that connects?
    Thanks

    Hi,
    These links will help :-
    http://www.cisco.com/en/US/products/ps6121/products_configuration_guide_chapter09186a00806a81a0.html
    Regards,
    Vivek

  • Cisco ISE posture check for VPN

    Hello community,
    first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
    Thank you!

    The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
    The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
    http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

  • Windows 8.1 do not show DISCONNECT option for VPN, why? bug? Please fix!!!

    I created a VPN connection. Once I connected to the VPN in Windows 8.1, it does not show DISCONNECT option when I click on the VPN again. It just keep showing CONNECT option only. Why? This has to be a bug! Please fix!

    Hi Dan5678,
    Is the connection an incoming VPN connection?
    If yes, then you may take a look at the KB article below:
    How to disconnect an incoming VPN connection in Windows 8 and in Windows Server  2012
    To disconnect an incoming VPN connection, follow these steps:
    Open Network Connections. To do this, use either of the following methods:
    Swipe in from the right edge of the screen, or point to the lower-right corner of the screen, and then click Search. Then, type ncpa.cpl, and then click the Ncpa.cpl icon.      
    Press Win+R to open the Run window, type ncpa.cpl,  and then  click
    OK.
    Right-click the incoming VPN connection that you want to disconnect,  and then  click
    Status.
    On the General tab,  click Disconnect. 
    Close Network Connections.
    Hope this may be helpful.
    Regards
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Best option for VPN and Firewall..

    I am replacing my Watchguard Firebox 700 Firewall/VPN with a Cisco box. I am trying to determine what would be the best model for my environment.
    20 person company.. The only need would be for 1 or 2 different offices to connect via VPN and also our users to connect via VPN. So my needs are for firewall and VPN.. What model would you recommend?
    Thank you

    Hi,
    I would suggest ASA 5505. Take a look at the link below.
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    Rate it, if it helps.
    Thanks
    Gilbert

  • Smaller MTU for VPN clients?

    I have a 2611 router running 12.3 and have about a dozen users connecting to my LAN via this router (only 1 - 3 at a time) When I originally was setting this up a TAC engineer suggested lowering my MTU for performance reasons - several of my connecting users are experiencing "hangs", could the MTU be the culprit? What is the syntax to change it and do I put that on the Virtual-Template or Ethernet i/f or main Serial? would this affect performance of other traffic?

    This link should help you determine where you want adjust the MTU and which option will work best for your environment.
    http://www.cisco.com/warp/public/105/pmtud_ipfrag.html

  • "Anyconnect client profile" option missing in ASDM

    Hello,
    I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
    It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
    I don't have either of those options in ASDM. Here's what mine shows:
    I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
    Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

    Thanks for the response Marvin,
    It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
    Result of the command: "sh version"
    Cisco Adaptive Security Appliance Software Version 8.2(1)
    Device Manager Version 6.2(1)
    Result of the command: "sh act | i Ess"
    AnyConnect Essentials        : Enabled 
    I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

Maybe you are looking for

  • After attempting to update to ios 7, my iphone is stuck in recovery mode and will not connect to the itunes software server.

    After attempting to update to ios 7, my iphone is stuck in recovery mode and will not connect to the itunes software server.  I have already tried the resetting with power swich and home button and plugging into computer but it says the "iPhone softw

  • Photos and iCloud

    I am getting a new phone and want to back up my phone to iCloud, but it looks like my photos are not being saved on iCloud. I know that new photos are kept when I turn on photo stream, but what about my old photos that are not on photo stream?

  • How do i format a MMC in the PC?

    How do i format a MMC in the PC?

  • SAP HR TESTER

    Hello all I am a SAP Hr Functional consultant , recently working on a SAP Hr UAT Testing Project . if you have any information on SAP HR testing please forward it to my email address [email protected] Many Thanks Rama

  • Errors downloading iTune 10.5

    I'm trying to update to iTune 10.5. currently running 10.3. Durring download I get an error. Content blocked because it was not signed by vaild security certificate. I have a PC runnity Win XP any suggestions?