topic Re: ISE 2.7 posturing MacOS installation issue in Network Access Control

ISE 2.7 posturing MacOS installation issue

KelvinT — Mon, 25 Jan 2021 15:56:05 GMT

ISE 2.7 patch 3

AnyConnect 4.8

MacOS

Smartcard

I am trying to install Anyconnect posturing on a MacOS manually (i.e. no JAMF or Mac Server). I install the application and place the ISEPostureCFG.xml file in the opt/cisco/anyconnect/profile/ folder. This file points to the correct PSNs.

When We attempt to scan it can't locate the servers.

Any idea why? I don't believe it's a firewall issue.

Thanks

Re: ISE 2.7 posturing MacOS installation issue

Mike.Cifelli — Mon, 25 Jan 2021 16:49:05 GMT

During client onboarding when the client posture status is 'Posture Unknown' do you apply a dacl of some sort limiting connectivity? Ensure that in this state access to the PSNs is allowed. List of ports:

----

Posture
- Discovery
- Provisioning
- Assessment/ Heartbeat

Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

Note : By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.

Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.

Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).

Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning

Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.

Provisioning - NAC Agent Install: TCP/8443

Provisioning - NAC Agent Update Notification: UDP/8905

Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)

Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)

Assessment - PRA/Keep-alive: UDP/8905

----

HTH!

Re: ISE 2.7 posturing MacOS installation issue

KelvinT — Mon, 25 Jan 2021 17:02:03 GMT

Yes. The switch's local ACL is "Deny" (i.e. no redirect) ISE ip with the listed ports.

Re: ISE 2.7 posturing MacOS installation issue

Mike.Cifelli — Mon, 25 Jan 2021 21:21:35 GMT

If possible please share your ACL.

Re: ISE 2.7 posturing MacOS installation issue

KelvinT — Thu, 28 Jan 2021 17:22:40 GMT

POSTURE-REDIRECT
remark DNS
deny udp any any eq domain
remark DHCP
deny udp any eq bootpc any eq bootps
remark RDP connection
deny tcp any eq 3389 any
remark Drive Mapping ports
deny udp any any range netbios-ns netbios-dgm
deny tcp any any eq 139
deny tcp any any eq 445
remark ISE Server
deny tcp any host ISE1 eq 8905
deny udp any host ISE1 eq 8905
deny tcp any host ISE1 eq 8909
deny udp any host ISE1 eq 8909
deny tcp any host ISE1 eq 8443
deny udp any host ISE2 eq 8905
deny tcp any host ISE2 eq 8905
deny udp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8443
remark Redirect everything else
permit ip any any

Re: ISE 2.7 posturing MacOS installation issue

Marcelo Morais — Thu, 28 Jan 2021 18:42:52 GMT

Hi @KelvinT

first of all ... you said "ISE 2.7 P3" ... could you please double check ?

Your REDIRECT ACL looks fine ... could you please:

1. delete the /opt/cisco/anyconnect/profile/ISEPostureCFG.xml file

2. connect again

3. double check if the Supplicant is able to download the ISEPostureCFG.xml

Hope this helps

Re: ISE 2.7 posturing MacOS installation issue

KelvinT — Thu, 28 Jan 2021 19:56:56 GMT

Hello,

actually ISE 2.7 P2

ill try this and let you know what happen.