topic Re: ISE posture setup in Network Access Control

ISE posture setup

bhartsfield — Thu, 10 Mar 2022 06:55:50 GMT

I am having issues getting ISE posturing to work. Had issues with the client and tried to set it up in the lab and still can't get it to work right.

Using an older windows 7 laptop with Anyconnect and the ISE posture module installed (4.10). Switch is a 9300 with basically the template from ise-support.com for denali+. ISE server is setup from cisco videos where I have an initial policy for "unknown posture" doing a ISE posture redirect and then my other rules (which work without posturing) looking at user is in a certain group and put them in this VLAN I added posture compliant to the rule. I do have a basic posture policy setup just looking for windows firewall is enabled.

What I see when I connect is the windows laptop goes to "trying to authenticate". Switch very quickly shows dot1x succeeded on access-session but shows nothing at this time on the redirect. Posture anyconnect module kicks in and says searching for policy server. Nothing changes on either side. Eventually posture module switches back to "cannot find policy server" and windows shows "Authentication Failed". At this point the switch access-session starts showing the redirect.

On the logs on the ISE server I do initially see the 802.1X success message with posture "unknown" and then a series of failures saying did not receive all the radius information expected.

I think my issue is getting the posture module to talk to ISE and download the posture policy on a new setup when it hasn't talked to the policy server previously.

Any ideas? What is the best way to get a new install to connect to ISE from the anyconnect module and get the posture policy? I thought that is what the redirect was supposed to do but that doesn't seem to be sent (according to the switch) until after the posture module has stopped searching.

I know I'm missing something simple in this whole flow. and yes this is using new-format switch configs with service policy.

Re: ISE posture setup

Mohammed al Baqari — Sat, 28 Aug 2021 13:49:37 GMT

Hi,

Do you have ISEPostureCFG.xml in the client machine at the path %program
data%\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

If you are deploying a posture agent manually or using SCCM, for example,
the XML file should be created in ISE server, downloaded to your machine
and copied to your clients at this path. If you are using client
provisioning portal to install posture agent, then XML will downloaded to
clients part of posture agent installation.

Try this and if all required ports are allowed between clients and PSN,
discovery process will work.

**** please remember to rate useful posts

Re: ISE posture setup

bhartsfield — Sun, 29 Aug 2021 02:29:29 GMT

Appreciate your reply.

So I think I was under the understanding that an "unknown posture" redirect would then direct the anyconnect posture client to download the ISE posture config. Was that an incorrect assumption? I don't want to mess with the portal since we are rolling this out to a large enterprise so in that case my best option is push the xml out with the posture module?

So, how do I get this ISEPostureCFG.xml file? I have configured all the anyconect profiles and all that in ISE but where do I go to download this config?

First time dealing with posturing so sorry for the what are probbaly easy questions.

Re: ISE posture setup

Mohammed al Baqari — Sun, 29 Aug 2021 04:59:37 GMT

Hi,

You need to download AnyConnect Profile Editor from Cisco website. Once
installed, it will install AnyConnect Profile Editor - ISE Posture. From
there you can create the XML file. Then you push it to your clients.

***** please remember to rate useful posts

Re: ISE posture setup

Mike.Cifelli — Sun, 29 Aug 2021 14:14:51 GMT

As mentioned you do need that xml file which will contain settings that the module will use. Adding an additional option besides the third party push @Mohammed al Baqari mentioned, which btw his way is 100% a legitimate option. Another option, which I think you were alluding to, is the ability for ISE to push the file via CPP (client provisioning portal). In order to accomplish this you will need to setup an AnyConnect Profile, create the ISEPostureCFG.xml using the editor mentioned, and upload the xml file in ISE. Or you can simply create the posture config file in ISE too. Then whichever way you choose, add the xml file inside your AnyConnect Config profile that then gets assigned as your result inside of your CPP policy. Then when clients connect, sits in unknown state at first, it should get redirected to CPP, ISE should push down the profile to the respective client. Lastly, the posture profile is added under the profile selection section inside the AnyConnect Config profile. HTH!

Re: ISE posture setup

albertofdez — Mon, 30 Aug 2021 10:54:59 GMT

Hi Mohammed,

I have installed the ISE posture agent manually and I have the same problem.

I have also created a profile with the tool "ISE Posture Profile Editor" I have saved it with the name ISEPostureCFG.xml and I have saved it in the path %program data%\Cisco\Cisco AnyConnect Secure Mobility Client \ISE Posture\ but it does not work for me .

Seeing your answer I have created the Anyconnect Posture Profile in Cisco ISE, how can I download it to copy it to the path you indicate?

Thanks.

Re: ISE posture setup

albertofdez — Mon, 30 Aug 2021 14:58:53 GMT

Hi,

What I need is to install the posture module and the posture profile manually or using SCCM or a similar tool.

The Cisco ISE version is 3.0 with patch 3. I attach the ISEPostureCFG.xml file that I created with the ISE Posture Profile Editor.

I understand that if I use the manual process and install the module and the profile, no redirection or access to the portal or anything similar is necessary, right?

Thanks.

Re: ISE posture setup

Mike.Cifelli — Tue, 31 Aug 2021 12:49:40 GMT

Please take a peek at the following to better understand the workflow required: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Re: ISE posture setup

albertofdez — Wed, 01 Dec 2021 13:11:35 GMT

Hi Mike,

The problem was not that I did not understand the required flow, I had to open a case in the CT and I have it solved.

Thank you very much for your help.

Regards

Re: ISE posture setup

TE_SecurityAdmin — Wed, 13 Nov 2024 07:15:45 GMT

How did you solve it?

We want to use the CPP by the way to send posturecfg.xml for the first time to newly installed posture module without posturecfg.xml