Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
0
Helpful
4
Replies

AnyConnect Posture Module between Client and Stealth Mode

edmcnich
Cisco Employee
Cisco Employee

‎08-13-2018 11:59 AM

Customer is running AnyConnect and Posture Module on Windows endpoints. When connected to VPN, customer would like the posture module to show up and show status. When connected to LAN and WLAN, customer would like Stealth Mode. We got this to work by configuring different Client Provisioning Policies under Posture for each connection. So when an end user connects and authenticates via VPN on the ASA, the Posture Module runs and is visible, but when connecting to LAN or WLAN, the Posture Module disappears and runs in Stealth Mode. One issue when bouncing back between LAN/WLAN and VPN is that it take 30 seconds or so for the Posture Module to appear and scan the device after VPN connection and Authentication. Is there a way to have the module run quicker?

0 Helpful
4 Replies 4

RichardAtkin
Level 3
Level 3

‎08-13-2018 01:44 PM

You need the Posture Module to send it’s Discovery requests more quickly, but I’m not sure there is an easy way to do this, though I have similar frustrations so it’d be good if someone knew a way!
0 Helpful

paul
Level 10
Level 10
In response to RichardAtkin

‎08-13-2018 03:14 PM

What trick are you using for posture discovery when on VPN?  Are you redirecting one of the know calls like enroll.cisco.com?  Or using a posture discovery host?

0 Helpful

edmcnich
Cisco Employee
Cisco Employee
In response to paul

‎08-15-2018 01:42 PM

Basically in the client provisioning policy we created a condition for Windows devices that if authentication from VPN_Group (which is the ASAs doing RAVPN), Results will be posture module. For all other NAS devices (WLC, Switches), results will be AnyConnect Stealth. Only issue is that when we switch from wireless to VPN, it takes about 30-40 seconds for the posture module to enable.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to RichardAtkin

‎09-01-2018 07:06 PM - edited ‎09-01-2018 07:06 PM

I found it best to also define the ISE Posture profile in ASA; e.g.

# show running-config webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml
anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml
anyconnect enable
cache
disable
error-recovery disable

 

0 Helpful
Customers Also Viewed These Support Documents