Solved: Posture 2.2-style - Page 2

craig.beck · ‎03-15-2018

Hi Everyone,

Has anyone deployed ISE posture using the new 2.2-style method without URL-redirection?

I'm keen to hear if anyone has, how well it has worked for them, any gotchas, workarounds to issues, etc.

I've deployed a distributed solution using 2.2 (patch 6 currently but will be pulling that ASAP due to a defect) and wanted to make use of the functionality, but it just hasn't been a good experience so far and have therefore gone back to doing posture via URL-redirection. We have seen that if the client uses a PSN which isn't the current session owner, but a session still exists at that [other] PSN for that client for whatever reason, it breaks the process as a CoA containing an unknown session-id (at the switch) is sent, leaving our client stuck with a restrictive ACL and in the wrong VLAN. Accounting is configured but in some instances the PSN either doesn't receive the STOP or, particularly where the PC/Laptop is behind a phone (non-Cisco), a STOP is never sent. I understand why this is a problem but would have thought that this would have been considered, given that the method is supposed to enable non-Cisco NADs to be used.

My understanding is that the client can use the "call-home" list to find a PSN during posture. That can be any or all of your PSNs. The contacted PSN will check its session database to see whether a client with a matching MAC/IP is known. If it is, that PSN it will return the CoA itself, but if not it will check the MnT and then direct the client to the correct PSN. When the MnT is checked, it works.

I've raised a TAC for this and it seems that the logic in 2.2 posture isn't quite there yet and could be improved. My feeling is that the MnT should be checked each time, to at least check the timestamp of the session. Saying that, TAC told me to do it the old way because 2.2 's method could break easily if the accounting packet isn't received by the original PSN, but that doesn't sit well with me or my customer. All of the literature around 2.2 posture says it should work, but it doesn't with 100% accuracy.

Is this something that works better in 2.3?

Cheers,

Craig

Craig Hyps · ‎04-25-2018

We added option to go directly to a Client Provisioning portal with or without network authentication. It does not need to be part of an active session or redirected in any way. You can simply tell users to go to agent.company.com, for example, and they will be authenticated to portal and client provisioning policy applied based on OS and auth conditions. Furthermore, if already authenticated to network, you can enable option in portal to provide access without secondary auth; the PSN will check to see if client IP already in session directory. The link is simply the FQDN defined for the portal and could even be load balanced, or resolve to anycast IP to PSN secondary interface, or linked from customer help desk page, or page for obtaining employee software!

hruizman · ‎04-25-2018

Ah I see, thank you! I will try it in a LAB. The main purpose of this for me is to overcome an issue with computers returning from hibernation. All SSL applications start to complain regarding invalid certificates and that is due to the nature of redirection of TCP 80/443. I cannot exclude the destination addresses because they are unknown (mostly cloud based services).

Thank you again.