https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3936553#M541228 Please also look at the ISE posture guide and no redirect option<BR /><A href="https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_blank">https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273</A><BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html</A> Mon, 07 Oct 2019 16:44:18 GMT Jason Kunst 2019-10-07T16:44:18Z https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935960#M541224 <P>Hi All ,&nbsp;</P><P>&nbsp;</P><P>we have cisco ISE 2.4 ,&nbsp; Distributed deployment with Wired , Wireless and VPN.</P><P>&nbsp;</P><P>currently we have&nbsp; Pre-Posture configuration ( i.e. we have to enable http server on Cisco Switches for redirect ) .</P><P>&nbsp;</P><P>can we move to Post-posture configuration ? currently we have more then 800 hundred users in production ..</P><P>&nbsp;</P><P>what cisco best practices says&nbsp; ? should we go for Post-Posture configuration&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards ,&nbsp;</P> Sun, 06 Oct 2019 10:00:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935960#M541224 aslam.bajwa 2019-10-06T10:00:19Z https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935962#M541225 <P>Hi,</P> <P>I assume you referring to post ISE 2.2 posture which does not require a redirect? You need to pre-provision the AnyConnect client and the ISEPostureCFG.XML configuration file, this need to be configured with call home list in order to start the posture process. Reference <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html" target="_self">here</A>.</P> <P>&nbsp;</P> <P>HTH</P> Sun, 06 Oct 2019 10:13:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935962#M541225 Rob Ingram 2019-10-06T10:13:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935967#M541226 <P>Hi RJI ,&nbsp;</P><P>&nbsp;</P><P>many thanks for your reply .</P><P>&nbsp;</P><P>correct , i am asking about&nbsp;<SPAN>post ISE 2.2 posture , but my man concern is what is the cisco best practices and recommendations.</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;Pre-Posture or Post posture&nbsp;</SPAN></P> Sun, 06 Oct 2019 10:43:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935967#M541226 aslam.bajwa 2019-10-06T10:43:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935971#M541227 Well if you control the endpoints and can pre-deploy the configuration xml file and anyconnect posture client, you don't need the redirect ACL. Which saves on configuration and complexity. You can also manually provision the client, but browsing to the CPP webpage.<BR /><BR />However if haven't pre-deployed the anyconnect client and xml configuration file and you want the client to automatically be redirected to the CPP to provision the agent and configuration then you will need the redirection ACL.<BR /><BR />So it's not necessarily about best practice, it's about your scenario and if the endpoints have the configuration/agent. Ideally IMO you'd pre-deploy the necessary configuration files and anyconnect agent, then you don't need the redirection ACL but just rely on the call home list. Sun, 06 Oct 2019 11:21:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3935971#M541227 Rob Ingram 2019-10-06T11:21:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3936553#M541228 Please also look at the ISE posture guide and no redirect option<BR /><A href="https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273" target="_blank">https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273</A><BR /><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html</A> Mon, 07 Oct 2019 16:44:18 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-pre-and-post-posture/m-p/3936553#M541228 Jason Kunst 2019-10-07T16:44:18Z