https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159489#M563111 Hi Colby,<BR /><BR />Many thanks for your response. That’s the way we’re leaning with a dedicated NIC.<BR /><BR />Best, Leigh<BR /> Wed, 30 Sep 2020 14:40:26 GMT leighharrison 2020-09-30T14:40:26Z https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159342#M563097 <P>Hello Folks,</P><P>&nbsp;</P><P>We've got a Windows 10 VM running in ESXi that we want to be able to run posturing on and push a remediation vlan to it if it's out of compliance.&nbsp; The VM sits in a host and is connected via a VDS.</P><P>&nbsp;</P><P>Is there any way of ISE pushing a COA for a VLAN to a VDS that anyone has come across?</P><P>&nbsp;</P><P>Best, Leigh</P> Wed, 30 Sep 2020 10:01:54 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159342#M563097 leighharrison 2020-09-30T10:01:54Z https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159450#M563106 <P>VMware VDS is not a supported access switch for ISE or 802.1x.&nbsp; It does not support RADIUS so you cannot send down AV pairs to change VLAN or assign a dACL.&nbsp; And most VMware environments will have the VDS connected to the physical infrastructure using trunk ports which should not be configured for 802.1x.</P><P>Now I have used VM's for testing ISE and posture and it works just fine.&nbsp; The catch is that you need to have a physical NIC on the ESXi host dedicated to the VM and then that NIC plugs into a supported access switch.&nbsp; Then from the switches perspective, it is just another 802.1x supplicant/client and you can do VLAN assignment on the access switch.&nbsp; This scenario works fine for lab testing but is not something you would come across in production since it basically defeats the purpose of virtualization.</P> Wed, 30 Sep 2020 13:54:48 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159450#M563106 Colby LeMaire 2020-09-30T13:54:48Z https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159489#M563111 Hi Colby,<BR /><BR />Many thanks for your response. That’s the way we’re leaning with a dedicated NIC.<BR /><BR />Best, Leigh<BR /> Wed, 30 Sep 2020 14:40:26 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159489#M563111 leighharrison 2020-09-30T14:40:26Z https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159684#M563116 <P>Leigh - The other thing I would add is that dynamic VLAN assignment is not recommended for Windows machines.&nbsp; Especially if they are part of a domain.&nbsp; When you change VLAN's, that means your IP address changes also.&nbsp; This can break GPO's, login scripts, drive mappings, etc.&nbsp; The recommendation would be to use a remediation dACL to restrict access and then once compliant, push down a new dACL that allows full access.&nbsp; In that scenario, the IP address of the client never changes, only the access they have.</P> Wed, 30 Sep 2020 20:45:31 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159684#M563116 Colby LeMaire 2020-09-30T20:45:31Z https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159739#M563118 Thanks Colby, Great tip!<BR /> Wed, 30 Sep 2020 23:07:26 GMT https://community.cisco.com/t5/network-access-control/anyconnect-posturing-on-virtual-machine-in-esxi/m-p/4159739#M563118 leighharrison 2020-09-30T23:07:26Z