topic Re: Posturing triggered even for CWA in Network Access Control

Posturing triggered even for CWA

giosif — Wed, 12 Apr 2017 14:27:24 GMT

Hi,

A customer running an ISE 1.4 (patch level 10) deployment is using multiple interfaces on the PSN's, as follows:

GE0 - for "general" communication (i.e. other ISE nodes, Active Directory, NTP, etc.)

GE1 - for RADIUS and posturing (i.e. CPP)

GE2 - for guest (i.e. CWA portal)

A company laptop running AnyConnect with ISE posture module would normally connect and, then, be postured by the posture module on the client talking to the PSN over the GE1 interface.

However, we were testing some use cases where the same laptop would need to perform web authentication and, for that, we created a guest portal using the GE2 interface (and associated authorization policies with the appropriate authorization profiles).

The issue is that, although we were hitting the correct authorization policy and the client was being redirected to the proper guest portal page (when we opened a browser and tried to go to "yahoo.com"), at the same time, the ISE posture module was kicking off (that was expected) and finding a policy server and actually performing the posture evaluation (that was not expected).

I did a packet capture on the client when we saw this issue and I am only seeing communication between the client and the GE2 interface of the PSN.

Also, in terms of redirects, the client is always redirected to a URL containing "action=cwa" and never "cpp".

All this sounds like a bug to me, but wanted to first check whether it somehow may be expected behaviour.

Thank you!

UPDATE: I forgot to mention that I confirmed "Require guest device compliance" was disabled on the guest portal.

Re: Posturing triggered even for CWA

Jason Kunst — Wed, 12 Apr 2017 15:54:12 GMT

Posture will be triggered from CWA flow, but can’t recall latest status on “official” full agent support with CWA flow. Traditionally assumed web agent. And to question, when enable the posture checkbox, the redirect will be to cwa, not cpp. If responded to a successful “guest-flow”, then you could redirect back to cpp. This basically splits the operations into two.

Posture triggered from cwa should link to interface and certs on same portal when part of one flow, not divert to separate portal/interface. If split operations, then expect it to shift over.

Re: Posturing triggered even for CWA

giosif — Wed, 12 Apr 2017 16:10:02 GMT

Thanks, Jason!

I wasn't aware that posturing for CWA flow is implicitly enabled.

So, this would mean that "Require guest device compliance" on the guest portal is only to say posturing is *required*, because triggering is being done anyhow (i.e. independent of this option being enabled or disabled).

Is that fair?

Also, understand the other points you make and I wasn't disptuing them.

I was mentioning them in support of my main observation: posturing is triggered for CWA flow (i.e. it wasn't some sort of misconfiguration or client being redirected to the wrong interface on the PSN, etc.).

Re: Posturing triggered even for CWA

Jason Kunst — Wed, 12 Apr 2017 16:18:19 GMT

Correct!

Re: Posturing triggered even for CWA

giosif — Wed, 12 Apr 2017 16:20:21 GMT

Great!

Many thanks for the response!