Cisco Cisco AnyConnect Secure Mobility Client v4.x Technical Manual
runs and the correct SSID is automatically used as per the configured NAM profile
(Secure_access). EAP-PEAP is used (as an example, Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS) could be also used). At the same time, the Posture module
checks if the station is compliant (checks for the existence of c:\test.txt file).
(Secure_access). EAP-PEAP is used (as an example, Extensible Authentication Protocol-
Transport Layer Security (EAP-TLS) could be also used). At the same time, the Posture module
checks if the station is compliant (checks for the existence of c:\test.txt file).
Step 3. If the station posture status is unknown (no report from Posture module), it is still
redirected for provisioning, because the Unknown Authz rule is encountered on ISE. Once the
station is compliant, ISE sends a Change of Authorization (CoA) to the Wireless LAN Controller,
which triggers re-authentication. A second authentication occurs, and the Compliant rule is hit on
ISE, which will provide the user with full access to the network.
redirected for provisioning, because the Unknown Authz rule is encountered on ISE. Once the
station is compliant, ISE sends a Change of Authorization (CoA) to the Wireless LAN Controller,
which triggers re-authentication. A second authentication occurs, and the Compliant rule is hit on
ISE, which will provide the user with full access to the network.
As a result, the user has been provisioned with AnyConnect VPN, NAM, and Posture modules that
allow for unified access to the network. Similar functionality can be used on the Adaptive Security
Appliance (ASA) for VPN access. Currently, ISE can do the same for any type of access with a
very granular approach.
allow for unified access to the network. Similar functionality can be used on the Adaptive Security
Appliance (ASA) for VPN access. Currently, ISE can do the same for any type of access with a
very granular approach.
This funcionality is not limited to corporate users, but it is possibly most common to deploy it for
that group of users.
that group of users.
Configure
WLC
The WLC is configured with two SSIDs:
Provisioning - [WPA + WPA2][Auth(802.1X)]. This SSID is used for AnyConnect provisioning.
●
Secure_access - [WPA + WPA2][Auth(802.1X)]. This SSID is used for secure access after the
endpoint has been provisioned with the NAM module that is configured for that SSID.
endpoint has been provisioned with the NAM module that is configured for that SSID.
●
ISE
Step 1. Add the WLC
Add the WLC to the Network Devices on ISE.
Step 2. Configure the VPN Profile
Configure the VPN profile with the AnyConnect Profile Editor for VPN.