cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

173
Views
2
Helpful
4
Replies
Highlighted
Cisco Employee

Posturing triggered even for CWA

Hi,

A customer running an ISE 1.4 (patch level 10) deployment is using multiple interfaces on the PSN's, as follows:

GE0 - for "general" communication (i.e. other ISE nodes, Active Directory, NTP, etc.)

GE1 - for RADIUS and posturing (i.e. CPP)

GE2 - for guest (i.e. CWA portal)

A company laptop running AnyConnect with ISE posture module would normally connect and, then, be postured by the posture module on the client talking to the PSN over the GE1 interface.

However, we were testing some use cases where the same laptop would need to perform web authentication and, for that, we created a guest portal using the GE2 interface (and associated authorization policies with the appropriate authorization profiles).

The issue is that, although we were hitting the correct authorization policy and the client was being redirected to the proper guest portal page (when we opened a browser and tried to go to "yahoo.com"), at the same time, the ISE posture module was kicking off (that was expected) and finding a policy server and actually performing the posture evaluation (that was not expected).

I did a packet capture on the client when we saw this issue and I am only seeing communication between the client and the GE2 interface of the PSN.

Also, in terms of redirects, the client is always redirected to a URL containing "action=cwa" and never "cpp".

All this sounds like a bug to me, but wanted to first check whether it somehow may be expected behaviour.

Thank you!

UPDATE: I forgot to mention that I confirmed "Require guest device compliance" was disabled on the guest portal.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Posturing triggered even for CWA

Posture will be triggered from CWA flow, but can’t recall latest status on “official” full agent support with CWA flow.  Traditionally assumed web agent.  And to question, when enable the posture checkbox, the redirect will be to cwa, not cpp.  If responded to a successful “guest-flow”, then you could redirect back to cpp.  This basically splits the operations into two.

Posture triggered from cwa should link to interface and certs on same portal when part of one flow, not divert to separate portal/interface.  If split operations, then expect it to shift over.

4 REPLIES 4
Cisco Employee

Re: Posturing triggered even for CWA

Posture will be triggered from CWA flow, but can’t recall latest status on “official” full agent support with CWA flow.  Traditionally assumed web agent.  And to question, when enable the posture checkbox, the redirect will be to cwa, not cpp.  If responded to a successful “guest-flow”, then you could redirect back to cpp.  This basically splits the operations into two.

Posture triggered from cwa should link to interface and certs on same portal when part of one flow, not divert to separate portal/interface.  If split operations, then expect it to shift over.

Cisco Employee

Re: Posturing triggered even for CWA

Thanks, Jason!

I wasn't aware that posturing for CWA flow is implicitly enabled.

So, this would mean that "Require guest device compliance" on the guest portal is only to say posturing is *required*, because triggering is being done anyhow (i.e. independent of this option being enabled or disabled).

Is that fair?

Also, understand the other points you make and I wasn't disptuing them.

I was mentioning them in support of my main observation: posturing is triggered for CWA flow (i.e. it wasn't some sort of misconfiguration or client being redirected to the wrong interface on the PSN, etc.).

Cisco Employee

Re: Posturing triggered even for CWA

Correct!

Cisco Employee

Re: Posturing triggered even for CWA

Great!

Many thanks for the response!