topic Re: Need urgent help on client provisioning in Network Access Control

Need urgent help on client provisioning

User_80617 — Fri, 03 Dec 2021 15:49:27 GMT

Hi,

I have following configuration on cisco asa for remote access vpn and posturing on ise.

2 vpn profiles on cisco asa. profile1 without posturing and profile2 with posturing. client provisioning is configured on ise with anyconnect config profile. however, ise posture module provisioning is done on cisco asa (as i was getting issues for it via cisco ise)

Problem is with client provisioning, when user connects the vpn profile which has not enabled for posturing still client provisioning happens. Anyconnect vpn gets updated and posture and compliance modules gets donwloaded, sometimes dart and smb donwloads which are unnecessary.

On cisco asa : for vpn profile1 - ise as authorization, accounting server is not configured.

On ise : client provisioning policy configured such a way that asa ip with tunnel group of vpn profile 2 only will be client provisioned. Also, authorisation policy for vpn profile 2 only has compliance rules.

Dont understand why client provisioned for vpn profile 1? Need help

Re: Need urgent help on client provisioning

Mike.Cifelli — Fri, 03 Dec 2021 16:49:05 GMT

Dont understand why client provisioned for vpn profile 1? Need help

-Sounds like you are steering both VPN tunnel group clients to ISE CPP. Do you have separate authz profiles for each one? That may help fix your issue. Also, double check your CPP conditions and work towards keeping the two tunnel groups separate.

Re: Need urgent help on client provisioning

User_80617 — Mon, 06 Dec 2021 09:13:46 GMT

Hi,

Actually both vpn profiles have separate policy sets filtered based on the tunnel groups.

Also, cpp is only for vpn profile 2 that is also filtered with tunnel group.

Re: Need urgent help on client provisioning

thomas — Fri, 10 Dec 2021 04:00:33 GMT

Are you following any guides?

How To Configure Posture with AnyConnect Compliance Module and ISE 2.x

Re: Need urgent help on client provisioning

Peter Koltl — Sat, 11 Dec 2021 21:46:59 GMT

Posture module (and DART module) is downloaded because it is specified in the ASA group-policy. Use a GP for profile1 which has no module download settings.

Compliance module is downloaded either because CPP redirection is in effect or because the client remembers a previous connection data of the ISE as policy server. (ConnectionData.xml or ISEpostureCFG.xml on client)