https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3699274#M508380 <P>I found it best to also define the ISE Posture profile in ASA; e.g.</P> <P><FONT face="courier new,courier" size="3"># show running-config webvpn</FONT><BR /><FONT face="courier new,courier" size="3">webvpn</FONT><BR /><FONT face="courier new,courier" size="3"> enable outside</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"</FONT><BR /><FONT color="#0000FF"><STRONG><FONT face="courier new,courier" size="3"> anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml</FONT></STRONG></FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect enable</FONT><BR /><FONT face="courier new,courier" size="3"> cache</FONT><BR /><FONT face="courier new,courier" size="3"> disable</FONT><BR /><FONT face="courier new,courier" size="3"> error-recovery disable</FONT></P> <P>&nbsp;</P> Sun, 02 Sep 2018 02:06:38 GMT hslai 2018-09-02T02:06:38Z https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687402#M508371 <P>Customer is running AnyConnect and Posture Module on Windows endpoints. When connected to VPN, customer would like the posture module to show up and show status. When connected to LAN and WLAN, customer would like Stealth Mode. We got this to work by configuring different Client Provisioning Policies under Posture for each connection. So when an end user connects and authenticates via VPN on the ASA, the Posture Module runs and is visible, but when connecting to LAN or WLAN, the Posture Module disappears and runs in Stealth Mode. One issue when bouncing back between LAN/WLAN and VPN is that it take 30 seconds or so for the Posture Module to appear and scan the device after VPN connection and Authentication. Is there a way to have the module run quicker?</P> Mon, 13 Aug 2018 18:59:08 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687402#M508371 edmcnich 2018-08-13T18:59:08Z https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687494#M508372 You need the Posture Module to send it’s Discovery requests more quickly, but I’m not sure there is an easy way to do this, though I have similar frustrations so it’d be good if someone knew a way! Mon, 13 Aug 2018 20:44:20 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687494#M508372 RichardAtkin 2018-08-13T20:44:20Z https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687556#M508375 <P>What trick are you using for posture discovery when on VPN?&nbsp; Are you redirecting one of the know calls like enroll.cisco.com?&nbsp; Or using a posture discovery host?</P> Mon, 13 Aug 2018 22:14:44 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3687556#M508375 paul 2018-08-13T22:14:44Z https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3689260#M508378 <P>Basically in the client provisioning policy we created a condition for Windows devices that if authentication from VPN_Group (which is the ASAs doing RAVPN), Results will be posture module. For all other NAS devices (WLC, Switches), results will be AnyConnect Stealth. Only issue is that when we switch from wireless to VPN, it takes about 30-40 seconds for the posture module to enable.</P> Wed, 15 Aug 2018 20:42:29 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3689260#M508378 edmcnich 2018-08-15T20:42:29Z https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3699274#M508380 <P>I found it best to also define the ISE Posture profile in ASA; e.g.</P> <P><FONT face="courier new,courier" size="3"># show running-config webvpn</FONT><BR /><FONT face="courier new,courier" size="3">webvpn</FONT><BR /><FONT face="courier new,courier" size="3"> enable outside</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"</FONT><BR /><FONT color="#0000FF"><STRONG><FONT face="courier new,courier" size="3"> anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml</FONT></STRONG></FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml</FONT><BR /><FONT face="courier new,courier" size="3"> anyconnect enable</FONT><BR /><FONT face="courier new,courier" size="3"> cache</FONT><BR /><FONT face="courier new,courier" size="3"> disable</FONT><BR /><FONT face="courier new,courier" size="3"> error-recovery disable</FONT></P> <P>&nbsp;</P> Sun, 02 Sep 2018 02:06:38 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posture-module-between-client-and-stealth-mode/m-p/3699274#M508380 hslai 2018-09-02T02:06:38Z