Cisco Cisco Identity Services Engine 1.0.4 Manual Técnica
VPN Inline Posture using iPEP ISE and ASA
Document ID: 115724
Contributed by Bastien Migette, Cisco TAC Engineer.
Mar 19, 2013
Mar 19, 2013
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Basic Flow
Example Topology
ASA Configuration
ISE Configuration
iPEP Configuration
Authentication and Posture Configuration
Posture Profiles Configuration
Authorization Configuration
Result
Related Information
Prerequisites
Requirements
Components Used
Conventions
Background Information
Basic Flow
Example Topology
ASA Configuration
ISE Configuration
iPEP Configuration
Authentication and Posture Configuration
Posture Profiles Configuration
Authorization Configuration
Result
Related Information
Introduction
This document provides information on how to set up inline posture with an Adaptive Security Appliance
(ASA) and an Identity Services Engine (ISE).
(ASA) and an Identity Services Engine (ISE).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on version 8.2(4) for the ASA and version 1.1.0.665 for the ISE.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
The ISE provides a lot of AAA Services (Posture, Profiling, Authentication, etc). Some Network Devices
(NAD) support Radius Change Of Authorization (CoA) that allows to dynamically change the authorization
profile of an end device based on its Posture or Profiling result. Other NADs such as the ASA do not support
this feature yet. This means that an ISE running in Inline Posture Enforcement mode (iPEP) is needed to
dynamically change the network access policy of an end device.
(NAD) support Radius Change Of Authorization (CoA) that allows to dynamically change the authorization
profile of an end device based on its Posture or Profiling result. Other NADs such as the ASA do not support
this feature yet. This means that an ISE running in Inline Posture Enforcement mode (iPEP) is needed to
dynamically change the network access policy of an end device.