Cisco Cisco Identity Services Engine Software Manuale Tecnico

Here is the traffic flow, as illustrated in the network diagram:

The remote user connects through Cisco AnyConnect for VPN access to the ASA. This can be any
type of unified access, such as an 802.1x/MAC Authentication Bypass (MAB) wired session that is
terminated on the switch or a wireless session that is terminated on the Wireless LAN Controller
(WLC).

1. 

As a part of the authentication process, the ISE confirms that the posture status of the end station is
not equal to compliant (ASA-VPN_quarantine authorization rule) and that the redirection attributes are
returned in the Radius Access-Accept message. As a result, the ASA redirects all of the HTTP traffic
to the ISE.

2. 

The user opens a web browser and enters any address. After the redirection to the ISE, the Cisco
AnyConnect 4 posture module is installed on the station. The posture module then downloads the
policies from the ISE (requirement for WSUS).

3. 

The posture module searches for Microsoft WSUS, and performs remediation.

4. 

After successful remediation, the posture module sends a report to the ISE.

5. 

The ISE issues a Radius Change of Authorization (CoA) that provides full network access to a
compliant VPN user (ASA-VPN_compliant authorization rule).

6. 

: In order for the remediation to work (the ability to install Microsoft Windows updates on a PC), the user

should have local administrative rights.

: A detailed configuration of the WSUS is out of the scope of this document. For details, refer to the

Deploy Windows Server Update Services in Your Organization Microsoft documentation.