topic Re: Anyconnect Posture issue in Network Access Control

Anyconnect Posture issue

ciscoworlds — Fri, 21 Feb 2020 18:42:36 GMT

Hi;

I configured single standalone ISE 2.2 in my lab to authenticate clients and push them to install AnyConnect NAM, VPN and Compliance modules. Clients successfully authenticated and redirected to the provisioning portal. then they managed to install AnyConnect on their PCs and were asked to enter AD username/password. This was successful too and they got connected to the network. But they got "Searching For Policy Server" and "Unauthorized Policy Server" error messages on their Posture module (under System Scan Title). I reviewed "ISEPostureCFG.xml" which was inside the ISE Posture Folder on their computers and IP address of ISE was there. As result, AnyConnect could not connect to ISE to report the Posture results and then they couldn't match a separate AUTHZ rule on ISE which has been configured for compliant clients. Any idea?

Re: Anyconnect Posture issue

Francesco Molino — Thu, 28 Dec 2017 18:34:44 GMT

Ok you checked the profile file on the client and everything looks fine right?

What are authorization and acl pushed when the client is in unknown state (at the connection) ?

What logs are you seeing on ISE?

Re: Anyconnect Posture issue

ciscoworlds — Fri, 29 Dec 2017 13:37:43 GMT

Hi;

This is my Policy rules:

https://1drv.ms/i/s!AtnSgqfSTcPBxVh1negoFmBzAG5-

authz policy "TE-WIRED-PRE-nCOMPLIANT" permits everything toward ISE server and all client networks and puts clients in vlan 500.

https://1drv.ms/i/s!AtnSgqfSTcPBxVc7nm8oVgzXWWLW

I reviewed client PC for related files and saw there is only one file named "configuration_bad.xml"inside "NewConfigFiles" folder which contains my ISE IP address:

<DiscoveryHost>10.1.204.168</DiscoveryHost>

<ServerNameRules>10.1.204.168</ServerNameRules>

"ISEPostureCFG.xml" file which resides inside "ISE Posture" folder contains exact same content as "configuration_bad.xml"file!

The "Configuration.xml" file resides inside another folder "System" which contains Anyconnect Connection Profile "TWired-Network" as seen in the following image, but there is no line containing ISE IP address inside this file. Also you can see "Unauthorized Policy Server" error message has been displayed too.

https://1drv.ms/i/s!AtnSgqfSTcPBxVmKu-GOati6UwQD

At the end, ISE shows client has been successfully authenticated and matched first authz rule (which has been created for compliant:unknown users.

Re: Anyconnect Posture issue

Ben Walters — Fri, 29 Dec 2017 14:19:35 GMT

It sounds like it could be an issue with the posture config file, are you able to include that?

I found when setting up my test environment, even though it was different from yours (2 ISE nodes behind F5) I needed to use FQDN instead of IP address for the posture configuration so I created a host entry for my test ISE servers on my test machine.

Re: Anyconnect Posture issue

ciscoworlds — Fri, 29 Dec 2017 14:27:13 GMT

Hi;
You're right. I managed to solve the issue. I'd written IP address of ISE for both of fields ("Discovery Host" and "Server Name Rules"). Then changed "Server Name Rules" filed to FQDN rather than actual IP and uninstall Anyconnect on client and started the whole process again, but this time everything went as expected and client was able to match against compliant authz rule.
This is very strange and I'm not sure I read anything about it on Cisco website.

Re: Anyconnect Posture issue

Ben Walters — Fri, 29 Dec 2017 14:35:57 GMT

I know what you mean, when I first tried to set up provisioning it was almost impossible to find any good documentation on what is required for it to work properly. I had terrible results using the standalone ISE Posture Profile Editor program but then I read somewhere that you can create the configuration file in ISE itself.

Under Policy > Policy Elements > Results > Client Provisioning > Resources if you add an AnyConnect Posture Profile here it actually takes you through the values and gives you notes and descriptions for various settings which allowed me to actually get a working config going.

Glad to hear it is working for you now!