ISE policy server issue

GiHan55803 — Mon, 02 Sep 2019 08:36:08 GMT

Hello,

We have an issue on our ISE where when a user who works at another site most weeks. When they've been on the 3rd party network their anyconnect profile service updates on our laptops with the 3rd party server settings. When we inspect laptop the policy server is not auto updating by itself and still has the 3rd party server in the configuration. We must replace the cfg file to get this working again.

Is there anything we can do to ensure this updates to our own/stops this being overwritten froma design standpoint.

Re: ISE policy server issue

Colby LeMaire — Mon, 02 Sep 2019 17:30:37 GMT

I have to assume that you are referring to the Anyconnect ISE Posture Agent. It will keep track of any policy servers that it has previously connected to for use in its discovery phase. If your client provisioning/posture redirection stuff is configured correctly (i.e. redirect ACL, client provisioning policies), then this shouldn't cause a problem. So I would double check those things first. Then, you can modify the posture profile in ISE to limit which policy servers it can connect to so that it doesn't connect to PSNs outside of your environment. You can also use the Discovery Host field there to force it to redirect in your environment. Use an IP address or FQDN that you know would hit on your redirection ACLs. Do not put a PSN in the Discovery Host field. Following is a screenshot:

topic ISE policy server issue in Network Access Control

ISE policy server issue

Re: ISE policy server issue