Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption Manuel Technique

The ASA disconnects the VPN user. Since AnyConnect is configured with Always-on VPN
access, a new session is established; however, this time a different ISE Authorization rule is
matched (for quarantined hosts) and limited network access is provided. At this stage, it does
not matter how the user connects and authenticates to the network; as long as the ISE is
used for authentication and authorization, the user has limited network access due to
quarantine.

5.

As previously mentioned, this scenario works for any type of authenticated session (VPN, wired
802.1x/MAB/Webauth, wireless 802.1x/MAB/Webauth) as long as the ISE is used for
authentication and the network access device supports the RADIUS CoA (all modern Cisco
devices).

Tip: In order to move the user out of quarantine, you can use the ISE GUI. Future versions
of the remediation module might also support it.

Note: A VM appliance is used for the example that is described in this document. Only the
initial configuration is performed via the CLI. All of the policies are configured from Cisco
Defence Center. For more details, refer to the 

 section of this document.

The VM has three interfaces, one for management and two for inline inspection (internal/external).

All of the traffic from the VPN users moves via FirePower.

After you install the correct licenses and add the FirePower device, navigate to Policies > Access
Control and create the Access Policy that is used in order to drop the HTTP traffic to 172.16.32.1:

All other traffic is accepted.

The current version of the ISE module that is shared on the community portal is ISE 1.2
Remediation Beta 1.3.19:

Navigate to Policies > Actions > Remediations > Modules and install the file: