Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
The information in this document is based on these software versions:
Cisco ASA software Versions 9.2.1 and later
●
Microsoft Windows Version 7 with Cisco AnyConnect Secure Mobility Client Version 4.2 and
later
later
●
Cisco ISE, Release 2.0 and later
●
Configure
Network Diagram
The flow is the following:
VPN session initiated by AnyConnect client is authenticated via ISE. Posture status of the
endpoint is not known, rule "
endpoint is not known, rule "
●
User opens web browser, HTTP traffic is redirected by ASA to ISE. ISE pushes the newest
version of AnyConnect along with posture and compliance module to the endpoint
version of AnyConnect along with posture and compliance module to the endpoint
●
Once posture module is executed it checks if partition "E:" is fully encrypted by BitLocker. If
yes the report is sent to ISE, which is triggering Radius Change of Authorization (CoA) without
any ACL (full access)
yes the report is sent to ISE, which is triggering Radius Change of Authorization (CoA) without
any ACL (full access)
●
VPN session on ASA is updated, redirect ACL is removed and session is having full access
●
VPN session has been presented just as the example. Posture functionality is working fine also for
other types of the access.
other types of the access.