cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

162
Views
10
Helpful
6
Replies
Highlighted

ISE 2.4 AnyConnect Posture / Not work

Dear All , 

I am in the middle of project and I have to complete the ISE Anyconnect posture configuration , the connection flow will be like : 

Client >>>>> (Public IP ) ASA2130 ( Anyconnect server ) >>>>> ISE 2.4 ( private IP addresss ) 


AnyConnect is work perfectly without ISE but when I add ISE  my problem is appear 
-When I type https://(public IP of ASA)  >> the anyconnect page is apear and asked me to enter username/password 
   **the username and password is configured on ISE 
-After the login is pass the anyconnect download page is appear and then install the Anyconnect >>enter Username/Password and the connectionn is established 
- After that I open the browser and type http://(any ip routed through VPN ) to trigger redirection page 
- the redirection page apprear and press (( this is my first time here )) then trying to installed the Anyconnect again but the error ((  network Setup Assistant )) 

-ISE Version 2.4
-AnyConnect version 4.5
- Windows 10 ( the client PC ) 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.4 AnyConnect Posture / Not work

The client needs to be able to resolve the ISE host that will perform the Posture Assessment. Thus, DNS will have to be properly configured. I am not a DNS expert but your clients should be able to configure the proper DNS zones where the ISE servers are resolvable both internally and externally.

Yes, the profile configurations are done in ISE. The videos that I shared with you would walk you through it step-by-step.

Thank you for rating helpful posts!

6 REPLIES 6
Cisco Employee

Re: ISE 2.4 AnyConnect Posture / Not work

The redirection is expected as ISE is redirecting the client in order to perform Posture Assessment. In order for Posture Assessment to work, the endpoint needs to have the AnyConnect Posture Module installed and configured. If the endpoint does not then ISE can provide this. With that said, it looks like your configuration is missing something. Please take a look at these 4 videos and ensure that you have everything properly configured:

http://www.labminutes.com/sec0279_ise_22_posture_assessment_anyconnect_client_1

I hope this helps!

Thank you for rating helpful posts!

 

Cisco Employee

Re: ISE 2.4 AnyConnect Posture / Not work

Please also look at our Prescriptive Posture guide at https://cs.co/ise-guides
There are many articles for anyconnect here

Re: ISE 2.4 AnyConnect Posture / Not work

Hi Jason , 

Thank you  for your replay  , I already red most of them and it was really helpful . 

but I believe I have something missing . 

 

AnyConnect configuration -- pass

Authentication through ISE --pass

ISE Redirection ------- pass

Download Posture assessment --- Failed 

 

Note : in ISE raduis live log the posture statement is pending always . 

 

Re: ISE 2.4 AnyConnect Posture / Not work

Hi nspasov , 

Thank you for your replay  and sorry for the late replay . Let me check the videos and back to you . |
and please can you  confirm if  there is a missing config in my ASA configuration below :

 

 

 

interface Ethernet1/1
description Outside
nameif Outside
security-level 0
ip address 172.29.129.5 255.255.255.248 standby 172.29.129.6


interface Ethernet1/5
description Inside
nameif Inside
security-level 100
ip address 172.29.129.41 255.255.255.248 standby 172.29.129.42

!
route Outside 0.0.0.0 0.0.0.0 172.29.129.1
route Inside 10.1.2.0 255.255.255.0 172.29.129.45
!

ip local pool CuStOmer-AnyConnect-Pool 172.28.0.10-172.28.16.254 mask 255.255.240.0


access-list CuStOmer01-HQ-LAN standard permit 10.1.2.0 255.255.255.0
access-list CuStOmer01-HQ-LAN standard permit host 72.163.1.80

 


aaa-server ISE_RADUIS protocol radius
interim-accounting-update periodic 1
merge-dacl before-avpair
dynamic-authorization
realm-id 95
aaa-server ISE_RADUIS (Inside) host 10.1.2.95
key *****
!

webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.5.05030-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
webvpn
anyconnect profiles value CuStOmer_ac_profile type user

!
group-policy GroupPolicy_CuStOmer.hq.vpn1.iq.gov internal
group-policy GroupPolicy_CuStOmer.hq.vpn1.iq.gov attributes

wins-server none
dns-server value 10.1.2.110
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CuStOmer01-HQ-LAN
default-domain value CuStOmer.iq
webvpn
anyconnect modules value posture
anyconnect profiles value CuStOmer-AC-VPN type user
anyconnect profiles value CuStOmer-AC-Posture-Profile type iseposture
!
!

tunnel-group CuStOmer.hq.vpn1.iq.gov type remote-access
tunnel-group CuStOmer.hq.vpn1.iq.gov general-attributes
address-pool CuStOmer-AnyConnect-Pool
authentication-server-group ISE_RADUIS
authentication-server-group (Inside) ISE_RADUIS LOCAL
accounting-server-group ISE_RADUIS
default-group-policy GroupPolicy_CuStOmer.hq.vpn1.iq.gov
tunnel-group CuStOmer.hq.vpn1.iq.gov webvpn-attributes
group-alias CuStOmer.hq.vpn1.iq.gov enable

!
** Do I need to configure Profiles ? when I delete them it's not work , additionally do I need to add " anyconnect modules value posture " .

Re: ISE 2.4 AnyConnect Posture / Not work

Dears , 

 

- The problem has been solved (( but not met my scenario )) by adding DNS record statically  on My PC  

 Do I need to configure Profiles ? when I delete them it's not work , additionally do I need to add " anyconnect modules value posture " ----- still waiting your kind confirmation 

 

- My scenario all remote PC use  internet service with  Public or Private DNS , the client will not accept this solution  ( if I inform him  to add the DNS record statically  in all AnyConnect PCs ) , Can you help me to find another way ???

 

Cisco Employee

Re: ISE 2.4 AnyConnect Posture / Not work

The client needs to be able to resolve the ISE host that will perform the Posture Assessment. Thus, DNS will have to be properly configured. I am not a DNS expert but your clients should be able to configure the proper DNS zones where the ISE servers are resolvable both internally and externally.

Yes, the profile configurations are done in ISE. The videos that I shared with you would walk you through it step-by-step.

Thank you for rating helpful posts!