Solved: Re: Anyconnect posture issue

afahmy · ‎02-27-2018

Hi all, customer is trying to use Anyconnect posture module for posture. ISE 2.3 in use. Anyconnect package and compliance module uploaded on ISE (client provisoining steps are all done the same way done in lab successfully before many many times!),..so what happens is Authentication succeeds and end user is able to access client provisioning portal (via static FQDN) but the client is not actually downloaded and instead user is given compliant status right away once they hit the start button !!!

if try to download AC manually it won't see ISE server although redirect rules are in place on switch and are working on other PCs where NAC agent is installed (note this is a fresh PC with no NAC agent installed before Anyconnect). Configured call home list on ISE but of course Anyconnect is not able to download the configuration from ISE because it can't see it. The DACL is currently permit any any. So it can't be the reason communication is failing.

has anybody seen this before? Is there a way to install ISEPostureCFG.xml on the PC with the manual install of Anyconnect ?

danielsai · ‎02-28-2018

Yes. Exactly. It just give me internet access without installing the client.

I have to delete the client provisioning rules and reconfigure that rule.

And it works like magic.

Regards,

Sai

View solution in original post

ldanny · ‎02-27-2018

Please see this information in the AC Admin guide

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/deploy-anyconnect.html

afahmy · ‎02-27-2018

Thanks but I don’t know how that helps ?

I have a specific issue I’m trying to solve

Sent from my iPhone

ldanny · ‎02-27-2018

Take a look at this thread

https://supportforums.cisco.com/t5/aaa-identity-and-nac/anyconnect-nam-and-ise-posture-on-windows-8-and-windows-7/td-p/2609655

afahmy · ‎02-27-2018

Thank Danny, you’re focusing only on the last part of the question.

My main question is whether someone has experienced this behavior before where the end user gets to the client provisioning portal, hits start but the AC package doesn’t download and they are instead provided compliant status immediately without installing the client.

ldanny · ‎02-27-2018

Will do some research and follow up..

danielsai · ‎02-28-2018

Hi Afahmy,

I have faced that issue a few weeks ago in my lab environment. I was testing to migrate NAC to Anyconnect.

Following are some issue that i've encounter,

Client provisioning rules from the ISE for NAC and Anyconnect could not co-exist in recent patches.(If we configure both under same condition, the rules were stop working. I've tested it
Client provisioning rules or Posture check rules are not working after we edited the rule. (We delete existing rule and create new rules again).

You can pre install anyconnect software in your machine and AC will download your AC configuration and compliance module once you connect to network or you could do a manually provisioning.

Hope you could get something from this.

Regards,

Daniel Sai

afahmy · ‎02-28-2018

Sami

Did it give you compliant WITHOUT installing the client ?

Thanks

Ahmed

Sent from my iPhone

danielsai · ‎02-28-2018

Yes. Exactly. It just give me internet access without installing the client.

I have to delete the client provisioning rules and reconfigure that rule.

And it works like magic.

Regards,

Sai