https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570542#M523255 <HTML><HEAD></HEAD><BODY><P>Hi Team, </P><P>We are working with a customer on a very large project for Posture validation checks with ISE 2.2, AnyConnect 4.4.X and Compliance Module 3.6.X and would very much appreciate your thoughts on an issue they are seeing.</P><P>They do not want to use ISE for the deployment of AnyConnect and want to avoid as much burden for the user as possible.</P><P>For the initial testing they tried doing a manual install of the client and .xml config file to the endpoint. And found that AC would not speak to ISE (although ISE server name is correct in the cfg file) until the endpoint is URL-redirected to ISE at least one first time. After that there is no need for URL redirect in the ISE policy anymore.</P><P>Is there a way we can avoid that first URL-Redirect? Are we maybe missing something with the manual install like an initial negotiation/id_exchange/other?</P><P>Thanks for your help.</P><P>--</P><P>Ignacio </P></BODY></HTML> Wed, 02 Aug 2017 08:18:47 GMT jbenitol 2017-08-02T08:18:47Z https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570542#M523255 <HTML><HEAD></HEAD><BODY><P>Hi Team, </P><P>We are working with a customer on a very large project for Posture validation checks with ISE 2.2, AnyConnect 4.4.X and Compliance Module 3.6.X and would very much appreciate your thoughts on an issue they are seeing.</P><P>They do not want to use ISE for the deployment of AnyConnect and want to avoid as much burden for the user as possible.</P><P>For the initial testing they tried doing a manual install of the client and .xml config file to the endpoint. And found that AC would not speak to ISE (although ISE server name is correct in the cfg file) until the endpoint is URL-redirected to ISE at least one first time. After that there is no need for URL redirect in the ISE policy anymore.</P><P>Is there a way we can avoid that first URL-Redirect? Are we maybe missing something with the manual install like an initial negotiation/id_exchange/other?</P><P>Thanks for your help.</P><P>--</P><P>Ignacio </P></BODY></HTML> Wed, 02 Aug 2017 08:18:47 GMT https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570542#M523255 jbenitol 2017-08-02T08:18:47Z https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570543#M523256 <HTML><HEAD></HEAD><BODY><P>Hi Ignacio,</P><P>you need to copy this file,&nbsp; ConnectionData.xml into:</P><P> C:\Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\ISE posture</P><P></P><P> Edit the xml&nbsp; file&nbsp; and instert he ISE URL:</P><P>t</P><P>ConnectionData.xml</P><P>&lt;?xml version="1.0" ?&gt;</P><P>&lt;records&gt;</P><P>&nbsp;&nbsp;&nbsp; &lt;record&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;primary&gt;postureportal.ise.YOUR-ISE.com&lt;/primary&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;8999&lt;/port&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;status_path&gt;/auth/status&lt;/status_path&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ng-discovery&gt;/auth/ng-discovery&lt;/ng-discovery&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;time&gt;1495024640&lt;/time&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;backups&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;backup&gt;SECONDARY-ISE.com&lt;/backup&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/backups&gt;</P><P>&nbsp;&nbsp;&nbsp; &lt;/record&gt;</P><P>&lt;/records&gt;</P><P>With this one, anyconnect can go straight to postureportal.</P><P>Remember that th URL redirect sometimes is banned from Firewalls along the way between the client with AC , the first L2 switch that intercept the URL redirect and ISE.</P><P>Stefano</P></BODY></HTML> Wed, 02 Aug 2017 13:17:18 GMT https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570543#M523256 stefano.marzi 2017-08-02T13:17:18Z https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570544#M523257 <HTML><HEAD></HEAD><BODY><P>That trick will only work if set to specific PSN or PSNs that may be RADIUS session owner.</P><P></P><P>With ISE 2.2 you no longer require URL redirection to trigger posture to ensure client hit the correct PSN that owns the RADIUS session.&nbsp;&nbsp; ISE 2.2 also adds option to deploy AC directly from a portal without redirection.</P><P></P><P>/Craig</P></BODY></HTML> Wed, 02 Aug 2017 14:04:46 GMT https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570544#M523257 Craig Hyps 2017-08-02T14:04:46Z https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570545#M523258 <HTML><HEAD></HEAD><BODY><P>Adding to Craig's, the AnyConnect Profile Editor for ISE Posture module, release 4.4+, has the option to define "Call Home List".</P><P>You might also want to take a look at </P><P></P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#reference_288A1C28DF1549DB9CB171E085944379">AnyConnect 4.4 ISE Posture Profile Editor</A></P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html">ISE posture style comparison for pre and post 2.2 - Cisco</A></P><P></P><P><IMG alt="Screen Shot 2017-08-02 at 1.58.55 PM.png" class="image-1 jive-image" height="289" src="/legacyfs/online/fusion/109918_Screen Shot 2017-08-02 at 1.58.55 PM.png" style="height: 288.56935483870967px; width: 419px;" width="419" /></P></BODY></HTML> Wed, 02 Aug 2017 21:05:05 GMT https://community.cisco.com/t5/network-access-control/ise-posture-mandatory-initial-url-redirect/m-p/3570545#M523258 hslai 2017-08-02T21:05:05Z