topic did you find a solution other in Network Access Control

Anyconnect ISE posture problem

Jernej Vodopivec — Mon, 11 Mar 2019 07:06:38 GMT

I’m trying to get posture up&running with anyconnect ISE posture module for VPN connections.
The design:
- ASA with 9.6.1 SW installed
- Win 7 with Anyconnect 4.3.02039 VPN module installed only
- ISE 2.1 with patch 1
- Windows 2008R2 server for AD

Anyconnect profile configured on ISE:

- ISE posture: checked

- ISE posture (profile selection): anyconnectISEprofile

Posture configuration:

- discovery host: ISE's IP address

- server name rules: *

Authorization profile:
Access Type = ACCESS_ACCEPT
DACL = PERMIT_ALL_TRAFFIC
cisco-av-pair = url-redirect-acl=redirect
cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=a1da1780-e0e7-11e5-9151-005056bf7f51&action=cpp

Problem:
-          Client establishes VPN connection to ASA
-          Client opens web page that matches “redirect” ACL on ASA
-          ASA redirects client to ISE provisioning portal listening on tcp/8443
-          Client clicks on download link
-          File anyconnect-ise-network-assistant-win-4.3.02039.exe is downloaded
-          Network Setup Assistant window opens and I got the error message: Couldn't connect to server

It seems client can’t find ISE policy server?

According to the following rules found on cisco.com webpage:
Posture Run-time Services
The posture run-time services encapsulate all the interactions that happen between the client agent and the Cisco ISE server for posture assessment and remediation of clients.
Posture run-time services begin with the Discovery Phase. An endpoint session is created after the endpoint passes 802.1x authentication. The client agent then attempts to connect to a Cisco ISE node by sending discovery packets through different methods in the following order:
1    via HTTP to Port 80 on a Cisco ISE server (if configured)
2    via HTTPS to Port 8905 on a Cisco ISE server (if configured)
3    via HTTP to Port 80 on the default gateway
4    via HTTPS to Port 8905 to each previously contact server
5    via HTTP to Port 80 on enroll.cisco.com

I can find by capturing traffic with wireshark:
- request to port tcp/80 to default gateway – gateway sends RST packet which is expected
- DNS query for enroll.cisco.com
I also created static enroll.cisco.com record and point it to ISE IP but it didn’t help solve the problem.

Any idea what could be wrong?

Are you allowing the DNS

Marvin Rhoads — Mon, 26 Sep 2016 15:03:29 GMT

Are you allowing the DNS resolution (udp/53 to the configured DNS servers) in your pre-authZ ACL?

Hi Marvin,

Jernej Vodopivec — Mon, 26 Sep 2016 15:15:15 GMT

Hi Marvin,

there is a DNS server configured on ASA's group policy: internal DNS server with IP .51. There is also local domain configured: test.local.

There is also split tunneling configured in tunnel policy: to tunnel only local network where AD/DNS and ISE server are located.

There is a rule "DACL = PERMIT_ALL_TRAFFIC" configured in pre-authZ ACL. There is "redirect" policy configured in this pre-authZ ACL: deny ip from any to AD/DNS; deny ip from any to ISE; permit tcp any any http/https.

Client can successfully resolve hostname ise.test.local. Client can send DNS recursive query to local DNS server and gets respone.

Hmm OK thanks Jernej.

Marvin Rhoads — Mon, 26 Sep 2016 17:15:42 GMT

Hmm OK thanks Jernej.

It sounds like you've pretty much got a textbook setup.

Are you able to see in your packet capture what query it is trying while the Network Setup Assistant is running?

Have you tried pre-installing the ISE Posture Module along with the VPN module in AnyConnect?

Hi Marvin, I can see only one

Jernej Vodopivec — Wed, 28 Sep 2016 04:00:06 GMT

Hi Marvin, I can see only one DNS query: enroll.cisco.com.

But I've manage to solve the problem by reconfiguring ASA's group policy from "tunnel specific network list" to "tunnel all networks".

Thank you for you help anyway. Much appreciate it.

You're welcome.

Marvin Rhoads — Wed, 28 Sep 2016 04:05:52 GMT

You're welcome.

Thanks for letting us know the resolution that worked for you.

Hi Team,

Bob Goal — Mon, 24 Oct 2016 09:09:34 GMT

Hi Team,

I've got exactly the same issue. ISE 2.1, Anyconnect 4.2.05015, ASA 9.5.(2). Turning off split tunnel resolves the issue but I need split tunneling feature. How to resolve it?

If you absolutely need split

Peter Koltl — Tue, 25 Oct 2016 05:42:48 GMT

If you absolutely need split tunnel you can narrow down which public block in the split tunnel the client requires. You can start with 0.0.0.0-31.255.255.255 etc.

In this topic are some

Bob Goal — Tue, 25 Oct 2016 05:51:31 GMT

In this topic are some interesting hints https://supportforums.cisco.com/discussion/11795926/ise-redirect-install-nac-agent-anyconnect-users-split-tunnel I'm going to test it and give a feedback.

I found that tunneling all

Bob Goal — Tue, 25 Oct 2016 08:30:40 GMT

I found that tunneling all traffic is not required, Anyconnect tries to connect to enroll.cisco.com. I found its IP and added it to spilt tunnel ACL. That is working fine.

$ dig @192.168.201.48 enroll.cisco.com +short
mus.cisco.com.
72.163.1.80

Add host to split ACL:

access-list ACL_SPLIT standard permit host 72.163.1.80

did you find a solution other

James Walsh — Mon, 07 Nov 2016 17:06:28 GMT

did you find a solution other than tunneling all networks? I need to have split tunneling enabled for specific networks only and i am having the same issue as you are...................

Hi, the solution is in other

Bob Goal — Mon, 07 Nov 2016 18:20:40 GMT

Hi, the solution is in other of my post in this topic.

can you send me the link to

James Walsh — Mon, 07 Nov 2016 18:25:48 GMT

can you send me the link to that post? I can't find it. thanks for your help!