cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

165
Views
1
Helpful
3
Replies
Highlighted
Contributor

ISE 2.3 Posture on Two Different Deployments

Hello,

I am currently deploying ISE 2.3 with posture (Lets call it Deployment A) and we have some employees that have to VPN(AnyConnect) in to another organization (Deployment B) that is also running ISE posture.

Previously when they connected to Deployment B before we installed the posture agent on their machine they would connect no problem, no posturing was taking place. Once the posture agent for Deployment A was installed they are now failing posture in Deployment B and are not able to VPN in because the Deployment B ISE servers were not trusted.

I have tried a couple options:

Option 1:

Add Deployment B servers in the allowed server list. This is messy as it downloads the Deployment B Posture config, then when returning back they are now locked out because Deployment B's config is not trusting Deployment A's ISE server. Deployment B could add Deployment A's servers as trusted, but evey time they switch between them they download a new config.

Option 2:

Exempt these employees from Posture for Deployment A, also not something we want to do.

Option 3:

Require the users to use a local VM to connect to Deployment B, also not a good option as many of these users are not tech savvy.

Option 4:

Have Deployment B exempt these users from posture, they were not being postured before they had the agent so it is no different now.

Is there any other options that could take place without Deployment B having to make changes on their end?

Thank You,

-Cory

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE 2.3 Posture on Two Different Deployments

Why is Department B's ISE config allowing posture discovery to even work for Department A users connections.  Their should be no redirect URL applied to their session so they should not find any servers to talk to.  That is your option 4 basically which is what I would lean towards.

Department A shouldn't get full access to Department B's network I would assume. 

3 REPLIES 3
VIP Engager

Re: ISE 2.3 Posture on Two Different Deployments

Why is Department B's ISE config allowing posture discovery to even work for Department A users connections.  Their should be no redirect URL applied to their session so they should not find any servers to talk to.  That is your option 4 basically which is what I would lean towards.

Department A shouldn't get full access to Department B's network I would assume. 

Cisco Employee

Re: ISE 2.3 Posture on Two Different Deployments

I also agree with what Paul said and option 4.

The authorization and the posture policy at Department B need consistency on the user access from Department A.

Contributor

Re: ISE 2.3 Posture on Two Different Deployments

Thank you for Confirming this that is the option I have been presenting from the beginning. I don't have access to Deployment B hopefully I can get them to change this.