topic ISE 2.2 AnyConnect Posturing without using redirect in Network Access Control

ISE 2.2 AnyConnect Posturing without using redirect

hruizman — Wed, 25 Apr 2018 18:32:07 GMT

Hello, I have a challenge. I have AnyConnect posture for Antivirus. My computers go to hibernate and after returning from hibernation my Office 365 connection sends me a certificate warning. I assume this is due to the redirection of TCP 80/443 to client provisioning and the ISE PSN certificate being presented instead of Office 365.

Since finding out about Office 365 IP addresses would be a paramount, I thought of having AnyConnect statically look for the PSN/CPP. Has anyone done this? Any guidance on how to accomplish this?

I appreciate it.

Homero Ruiz

Re: ISE 2.2 AnyConnect Posturing without using redirect

Craig Hyps — Wed, 25 Apr 2018 23:41:45 GMT

Per Re: Posture 2.2-style, you can setup a direct link Client Provisioning Portal. Even if redirected to PSN after connection lost, the portal cert should be trusted. However, if redirecting HTTPS, then that would explain cert warning for the NAD itself. Yes, ISE 2.2 Posture without redirect could be used to send request to PSN directly for redirect without NAD intervention.

Re: ISE 2.2 AnyConnect Posturing without using redirect

paul — Thu, 26 Apr 2018 02:14:44 GMT

The other thing I would say to as this seems to be a common issue people post on is if you aren't using the CPP portal to install anything for posturing (I never do outside of testing), then the URL redirect only needs to intercept port 80 calls to discovery methods, i.e. default gateway, enroll.cisco.com or discovery host. You can still DACL/ACL block traffic in a preposture state but you don't need to URL redirect anything other than the discovery methods.

I see too many people redirecting all HTTP/HTTPS traffic then when the OS is doing portal detection or sending out web traffic it ends up kicking up the CPP page and causing confusion.