Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6207
Views
0
Helpful
11
Replies

anyconnect ise posture module offline deployment

Go to solution
xili5
Cisco Employee
Cisco Employee

‎03-25-2018 10:30 PM

Hi,

Maybe this is an old topic, but I just want to confirm that beside using posture portal provided by ISE to manually install anyconnect posture module and update posture profile on computer,  we also can deploy ise posture module and profile offline-- which means that we can install anyconnect posture module by msi  package, edit posture profile by profile editor and put this profile to here "c:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility Client\ISE Posture\ISEPostureCFG.xml".

Does this setting work for offline deployment? Is there any other step i should do on local computer?


Also when I go through document of "anyconnect deploy" and find that description--

If you manually deploy the AnyConnect ISE Posture profile, you must also upload that file to ISE.


So what does "upload" mean and how to upload? Does it mean i need create posture agent profile on ISE with the same setting with what i create in local computer?


Thank you.


br,

Martin



1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to xili5

‎03-27-2018 07:59 AM

#2 has always been there. What they added in 2.2 is other methods for discovery that don’t rely on URL redirection.

For example the first 3 discovery methods relying on URL redirection are there prior to ISE 2.2:

Probe 1 - HTTP get /auth/discovery to default gateway IP. You should remember that MAC OS devices does not have default gateway on VPN adapter. Expected result for the probe is redirect-url.

Probe 2 - HTTP GET /auth/discovery to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel. Expected result for the probe is redirect-url.

Probe 3 - HTTP get /auth/discovery to discovery host. Discovery host value is returned from ISE during installation in AC posture profile. Expected result for the probe is redirect-url.

ISE 2.2+ added the following options:

Step 14.Stage two contains two discovery probes which allows AC posture module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.

Probe 1 - During first probe AC posture module tries to establish with IP/FQDNs from "Call Home List". List of the targets for the probe has to be configured in AC posture profile on ISE side. You can define IPs/FQDNs separated by commas, with colon you can define port number for each Call Home destination. This port needs to be equal to the port on which client provisioning portal is runs. On the client side information about call home servers is located in ISEPostureCFG.xml, this file can be found in folder - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

Call home target might not own the session and at this stage session owner lookup needs to happen. Posture module instructs ISE to start owner lookup by using special target URL - /auth/ng-discovery, request as well contains client IPs and MACs list. After this message is received by PSN session lookup is first done locally. If session is not found PSN initiates MNT node query. This request contains client IPs/MACs list, as a result FQDN of the owner should be obtained from MNT. After this PSN returns owner FQDN back to the client. Next request from client is sent to session owner FQDN with auth/status in URL and list of IPs and MACs.

Probe 2 - At this stage posture module tries PSN FQDNs which are located in ConnectionData.xml. You can find this file in C:\Users\\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\. Posture module retrieves this file at time of first posture attempt. File contains list of ISE PSNs FQDN. Content of the list might be dynamically updated during next connection attempt. End goal of the probe is to get FQDN of current session owner. Implementation is identical to Probe 1 with the only difference in probe destination selection.

The file itself is located in folder of current user in case device is used by multiple users. Different user is not able to use information from this file. This might lead users to the chicken and egg problem in environments without redirection when Call home targets are not specified.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
paul
Level 10
Level 10

‎03-26-2018 06:50 AM

If you one have the posture discovery interceptions techniques working, you don't need to load any profile files onto the machine.  Simply install the posture module.  When you connect to the network the posture module will attempt to do posture discovery, i.e port 80 call to the default gateway, port 80 call to enroll.cisco.com, etc.  If the network is setup to do URL redirect for those calls to the PSN that authenticated the user, the posture module will connect to ISE download the profile you specify in client provisioning and provide a posture report.

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to paul

‎03-26-2018 09:31 AM

Hi Paul,

What is "discovery interception technique"? Can you specify how i can make it working?

br,

Martin

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to xili5

‎03-26-2018 10:12 AM

Here you go:

ISE posture style comparison for pre and post 2.2 - Cisco

That link describes how discovery works.

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to paul

‎03-26-2018 07:37 PM

Hi Paul,

Thank you for your help.

But I want to find a solution without online client provisioning, like push anyconnect posture module and profile by SCCM or other similar tools. Both anyconnect software and profile are installed without online provisioning.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to xili5

‎03-27-2018 06:32 AM

Yes you use SCCM to push out the AnyConnect with the Posture Module.  I was simply saying you don't have to push out the configuration file if you don't want.  If you have the redirection setup correctly the posture module will find the ISE node to report posture to.  As part of that connection the posture module will download the configuration settings you specify in the client provisioning portal. 

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to paul

‎03-27-2018 07:10 AM

Hi Paul,

So there three options for ISE posture solution.

1. Download/Install posture module and posture profile from provisioning portal

2. Posture module is installed by SCCM or similar tools; posture profile is downloaded from provisioning portal

3. Both posture module and posture profile are installed by SCCM or similar tools.

Please correct me if you have any misunderstanding.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to xili5

‎03-27-2018 07:17 AM

Yes that is correct. You still want to make sure #2 works even if you start out with #3 because if you change the posture profile you don’t need then push it out with SCCM. You can simply make the change in ISE to the posture profile and the next time the client’s connect to submit posture they will get the updated posture profile.

I only do #1 when I am doing the proof of concept with the customer before we have the SCCM delivery method built.

0 Helpful

Go to solution
xili5
Cisco Employee
Cisco Employee
In response to paul

‎03-27-2018 07:53 AM

Thanks, Paul. What I need is to provide all available options to customer.

And the last question is that do those three options are available for all ISE 2.x version, especially #2? It seems it is new feature for #2 from ISE 2.2.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to xili5

‎03-27-2018 07:59 AM

#2 has always been there. What they added in 2.2 is other methods for discovery that don’t rely on URL redirection.

For example the first 3 discovery methods relying on URL redirection are there prior to ISE 2.2:

Probe 1 - HTTP get /auth/discovery to default gateway IP. You should remember that MAC OS devices does not have default gateway on VPN adapter. Expected result for the probe is redirect-url.

Probe 2 - HTTP GET /auth/discovery to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel. Expected result for the probe is redirect-url.

Probe 3 - HTTP get /auth/discovery to discovery host. Discovery host value is returned from ISE during installation in AC posture profile. Expected result for the probe is redirect-url.

ISE 2.2+ added the following options:

Step 14.Stage two contains two discovery probes which allows AC posture module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.

Probe 1 - During first probe AC posture module tries to establish with IP/FQDNs from "Call Home List". List of the targets for the probe has to be configured in AC posture profile on ISE side. You can define IPs/FQDNs separated by commas, with colon you can define port number for each Call Home destination. This port needs to be equal to the port on which client provisioning portal is runs. On the client side information about call home servers is located in ISEPostureCFG.xml, this file can be found in folder - C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

Call home target might not own the session and at this stage session owner lookup needs to happen. Posture module instructs ISE to start owner lookup by using special target URL - /auth/ng-discovery, request as well contains client IPs and MACs list. After this message is received by PSN session lookup is first done locally. If session is not found PSN initiates MNT node query. This request contains client IPs/MACs list, as a result FQDN of the owner should be obtained from MNT. After this PSN returns owner FQDN back to the client. Next request from client is sent to session owner FQDN with auth/status in URL and list of IPs and MACs.

Probe 2 - At this stage posture module tries PSN FQDNs which are located in ConnectionData.xml. You can find this file in C:\Users\\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\. Posture module retrieves this file at time of first posture attempt. File contains list of ISE PSNs FQDN. Content of the list might be dynamically updated during next connection attempt. End goal of the probe is to get FQDN of current session owner. Implementation is identical to Probe 1 with the only difference in probe destination selection.

The file itself is located in folder of current user in case device is used by multiple users. Different user is not able to use information from this file. This might lead users to the chicken and egg problem in environments without redirection when Call home targets are not specified.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎05-29-2018 02:28 PM

Couple corrections or clarifications.

ConnectionsData.xml is referenced in Phase 1.   Phase 1 discovery "probes" are all done in parallel.

In Phase 2, discovery occurs sequentially to reduce the potential load on MnT lookups.   It is also expected that reaching any viable PSN will allow successful session lookup and redirect to client.  Additionally, enroll.cisco.com is third item in sequence that should be checked as part of Phase 2 discovery.

/Craig

0 Helpful

Go to solution
quesiaboagye
Level 1
Level 1

‎03-09-2023 02:34 AM

I have a similar challenge. but mine is on ISE 3.1.

I want to be able to install the AnyConnect client and profile offline on the endpoints. my challenge is now where to find the profile file (whether in ISE or in one of the directories where AnyConnect agent was installed)

0 Helpful
Top