https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440385#M530563 <HTML><HEAD></HEAD><BODY><P>Awesome, thanks so much.</P></BODY></HTML> Tue, 28 Mar 2017 17:28:25 GMT Network Engineering 2017-03-28T17:28:25Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440380#M530558 <HTML><HEAD></HEAD><BODY><P>Hi - I got the below question from a partner. Any guidance would be great!</P><P></P><P>Summary</P><P></P><P>When a client connects over VPN they are authenticated against ISE and they are initially “Posture Status: Unknown” state, this causes them to get the redirect authorisation profile. This is fine initially as it means they get provisioned etc.. on subsequent connections when they are fully provisioned though they still are “Posture Status: Unknown” on initial connection. </P><P></P><P>When Windows O/S does a “Internet Availability Check” it triggers the redirect which means clients always get sent to the client provisioning portal in browser on every connection. This is not ideal as the client is already provisioned and caused a bit of confusion.</P><P></P><P>I need the redirect to be in place or else clients can’t be provisioned.</P><P></P><P>Pseudo Code of Authorisation Policy </P><P>-&nbsp;&nbsp;&nbsp; If Compliant then compliant_access</P><P>-&nbsp;&nbsp;&nbsp; If Non-Compliant then noncompliant_access</P><P>-&nbsp;&nbsp;&nbsp; If Unknown then redirect to client provisioning</P><P></P><P></P><P>My Solution</P><P></P><P>My solution at the moment is to have a “provisioning” profile and “production” profile on the ASA. When the client first connects and is provisioned with the client, I am also pushing profiles which change the default connection to a new VPN profile. The ISE posture module is configured with a profile which points it at ISE on subsequent connections. </P><P></P><P>I use policy sets on ISE so the production VPN profile uses a different policy set. This authorisation profile on ISE still has a redirect in place for “Posture Status:Unknown” but with a “deny all” ACL so nothing is ever redirected. (If don’t have a redirect in place it screws up the ISE logging). </P><P></P><P>It also uses an ASA filter to ensure limited access before posture status is updated. I tried using a DACL but this overwrites the user identity with ACL name for reporting. </P><P></P><P></P><P>Problem</P><P></P><P>My solution works, but I am concerned because seems a bit of a hack and if upgrade ISE or change anything potentially it breaks. I am surprised that only a few people seem to have encountered this problem or are living with it. The design is as per Cisco documentation for the original profile, so assume the redirection on subsequent connections is happening for anyone doing ASA posture assessment. </P><P></P><P>ISE 2.2 had some posture assessment enhancements but they are fairly poorly documented so not sure if they resolve this issue. Customer is using ISE 2.0, they can’t upgrade to 2.1 or 2.2 because ESXi is only 5.0 currently. </P><P></P><P>Any thoughts how this can be addressed more elegantly? </P></BODY></HTML> Mon, 27 Mar 2017 04:24:46 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440380#M530558 jatinps 2017-03-27T04:24:46Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440381#M530559 <HTML><HEAD></HEAD><BODY><P>You should only see this problem potentially if you are doing non-split tunneling VPNs.&nbsp; For many of my customers with the layered security they are applying to the endpoints they are doing split-tunnel so Internet availability check should be a non-issue.&nbsp; The posture module's main way to detect what PSN to report posture to is by doing a port 80 call to the default gateway.&nbsp; So the only thing you really need to redirect is that traffic.&nbsp; </P><P></P><P>You could block internal access, expect access to the PSNs, but allow Internet access in the posture unknown state.&nbsp; </P></BODY></HTML> Mon, 27 Mar 2017 15:39:01 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440381#M530559 paul 2017-03-27T15:39:01Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440382#M530560 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 11.0pt; font-family: Calibri;">Another option is to only redirect on certain sites to allow the user to provision the agent. Example: provision.yourdomain.com, your discovery host would also be provision.domain.com, this will need to be a resolvable host in your environment for redirect to work as well.</SPAN></P><P></P><P><SPAN style="font-size: 11.0pt; font-family: Calibri;">In ISE 2.2 and anyconnect 4.4 we don’t require redirect. This may help you as well. But i see you can't move to 2.2 as of yet</SPAN></P></BODY></HTML> Mon, 27 Mar 2017 16:51:55 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440382#M530560 Jason Kunst 2017-03-27T16:51:55Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440383#M530561 <HTML><HEAD></HEAD><BODY><P><A href="https://community.cisco.com//u1/147838">jakunst</A>&nbsp; Do you have any documentation on how ISE 2.2 and AnyConnect 4.4 can be configured not to require redirect?</P></BODY></HTML> Tue, 28 Mar 2017 02:23:35 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440383#M530561 Network Engineering 2017-03-28T02:23:35Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440384#M530562 <HTML><HEAD></HEAD><BODY><P>I have asked the SME to reach out and reply</P></BODY></HTML> Tue, 28 Mar 2017 17:21:23 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440384#M530562 Jason Kunst 2017-03-28T17:21:23Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440385#M530563 <HTML><HEAD></HEAD><BODY><P>Awesome, thanks so much.</P></BODY></HTML> Tue, 28 Mar 2017 17:28:25 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440385#M530563 Network Engineering 2017-03-28T17:28:25Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440386#M530564 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Did you find out how we can configure <SPAN style="color: #3d3d3d; font-family: arial; font-size: 12px;">ISE 2.2 and AnyConnect 4.4 to not require redirect ?</SPAN></P></BODY></HTML> Fri, 09 Jun 2017 11:22:28 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440386#M530564 gunnar.liknes 2017-06-09T11:22:28Z https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440387#M530565 <HTML><HEAD></HEAD><BODY><P><A href="https://salesconnect.cisco.com/open.html?c=6c4d7199-cf6d-489d-b2f3-e181d0c3d1c8">GOLDLab: SEC-ISE 2.2 Update Lab</A></P><P>@ SalesConnect has an exercise on that.</P><P></P><P>Also see <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html" style="font-family: Calibri, sans-serif; font-size: 16px;">ISE posture style comparison for pre and post 2.2</A></P></BODY></HTML> Fri, 09 Jun 2017 14:57:34 GMT https://community.cisco.com/t5/network-access-control/ise-posture-issues-over-vpn/m-p/3440387#M530565 hslai 2017-06-09T14:57:34Z