Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
10
Helpful
6
Replies

AnyConnect ISE Posture Pre-Deployment Questions

Go to solution
AIN UL BADAR
Level 4
Level 4

‎01-31-2019 04:46 PM

 Hello everyone,

I'm in the process of deploying AnyConnect ISE Posture using our Software Management System (SMS). I do have a couple of questions about the pre-deployment packaging.

  1. If we are deploying AnyConnect ISE Posture using Software Management System (SMS), is it necessary to configure the “Client Provisioning Configuration” section on ISE? If yes, then why, isn’t it enough to distribute the AnyConnect Posture package via SMS?
  2. What files are we going to bundle together for AC Posture during the SMS deployment? Is it required to Bundle “AnyConnect Configuration file and Posture Profile file”? I couldn’t find out how to export the ISE “AnyConnect Configuration file”, even though I found a way to configure the “AnyConnect Posture Profile” using Posture Profile Editor.

Appreciate the Help.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to AIN UL BADAR

‎01-31-2019 08:19 PM - edited ‎01-31-2019 08:20 PM

It all depends on how you have your network setup.  If you have your network setup to do posture discovery then you don't need to deploy anything but the AnyConnect software with the posture module.  When the posture module first starts up it will do posture discovery (HTTP to gateway IP, enroll.cisco.com, etc.) and if you have posture discovery URL redirection configured on the network the posture module will find the correct PSN to talk and download everything it needs to function.  You would also need to have a client provisioning rule to apply the correct posture config file. 

 

Check out this link for posture discovery options and how to do it without redirection (would require you to push the posture config file with the SCCM package).

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

View solution in original post

Go to solution
pan
Cisco Employee
Cisco Employee
In response to AIN UL BADAR

‎01-31-2019 08:37 PM

Hi Ain,

 

Once you install the software with SMS. Due to redirection configured on the NAD the client will get redirected to PSN and it will download the file from ISE.

 

If you are not using redirection then you have to push the file to the client.

 

Regards,

Pankaj Kumar

View solution in original post

6 Replies 6

Go to solution
pan
Cisco Employee
Cisco Employee

‎01-31-2019 06:08 PM

Hi,

 

Could you please explain what you consider under "Client Provisioning Configuration"?

 

Regards,

Pankaj

0 Helpful

Go to solution
AIN UL BADAR
Level 4
Level 4
In response to pan

‎01-31-2019 08:06 PM

Hi Pankaj,

I'm talking about this section "Policy Elements > Results > Client Provisioning > Resources" where you define Posture Profile and then attach the Posture Profile with Anyconnect Configuration.

Let me know if you have any questions.

HTH

Ain

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to AIN UL BADAR

‎01-31-2019 08:19 PM - edited ‎01-31-2019 08:20 PM

It all depends on how you have your network setup.  If you have your network setup to do posture discovery then you don't need to deploy anything but the AnyConnect software with the posture module.  When the posture module first starts up it will do posture discovery (HTTP to gateway IP, enroll.cisco.com, etc.) and if you have posture discovery URL redirection configured on the network the posture module will find the correct PSN to talk and download everything it needs to function.  You would also need to have a client provisioning rule to apply the correct posture config file. 

 

Check out this link for posture discovery options and how to do it without redirection (would require you to push the posture config file with the SCCM package).

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Go to solution
AIN UL BADAR
Level 4
Level 4
In response to paul

‎01-31-2019 08:33 PM

Thank you for the explanation, it makes a lot of sense.

One last thing I would like to confirm that you said about the CCP. What you said that I don't have to deploy the Posture Profile using the Software Management System in the Anyconnect bundle. Once Posture Module on the client fires up, it'll detect the correct PSN with or without discovery and downloads the AnyConnect Config/Posture Profile from ISE?

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to AIN UL BADAR

‎01-31-2019 08:37 PM

Hi Ain,

 

Once you install the software with SMS. Due to redirection configured on the NAD the client will get redirected to PSN and it will download the file from ISE.

 

If you are not using redirection then you have to push the file to the client.

 

Regards,

Pankaj Kumar

Go to solution
AIN UL BADAR
Level 4
Level 4
In response to AIN UL BADAR

‎01-31-2019 08:42 PM

Thanks Bro, really appreciate you clearing my doubts.
Ain
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents