We have a web app that disables a users account if they are compromised. For example they clicked a phishing email. I have been tasked with “Kill the users VPN session” when they click the button too.
I am an experienced web developer, but I am new to Cisco and Cisco ISE. Our networking department does not do much with APIs but I have been given an API username and password and they threw some docs at me. The docs are massive and what I am looking for is basically POST https://our-ise:9060/ers/config/sessions/endsession?samaccountname=bob
Obviously this is a fake endpoint that does not exist but that is psudocode of what I need to accomplish.
Maybe you Can do it with power shell on the local machine? Something like “Stop-Service -Name “vpnagent” -Force”
Try looking for /ers/config/session/CoA/Disconnect in the documents, you can use this to disconnect a user, but the ISE needs to be configured so that it uses Posture Assessment with Anyconnect, otherwise anyconnect will not do anything with the CoA. You can use session-id or mac, and maybe more to do the disconnect and you can lookup the session-id by username, but I don’t know what you are collecting on the web app and how the web app knows who is clicking the button.
Are users disconnecting themselves or is it a fake phish that should do it. I am a little confused on that.
This would be very dependent on your setup. If for example your network looks like this:
USER—VPN HE----(Auth)—ISE
Then what you should look at is CoA, not ending the ISE session. Essentially you want ISE to tell the VPN head end that the VPN session is invalid.
https://community.cisco.com/t5/network-access-control/ise-coa-for-asa-vpn-connections/td-p/3599874
https://community.cisco.com/t5/network-access-control/cisco-ise-api-s-for-coa/td-p/4695219
Do you have a Cisco firewall with FMC? Look into the FMC API too.
Is your VPN on a firepower or ASA? I know that at my org with ASA for VPN I can’t kill an existing session from ISE just block new sessions on VPN.
Thinking more now, I suppose this wouldn’t work with Android and Apple clients and could get more complex. I wish I could kick from a central place.
This is a very clever idea…
So I take it that it is not possible from the API? I forgot to mention (if it matters) we use “AnyConnect”
I think it would be possible to do with ISE APi. But I also think it would be easier to do it locally instead.
The command is with any connect.