Solved: Re: AnyConnect Posturing on Virtual Machine in ESXi

leighharrison · ‎09-30-2020

Hello Folks,

We've got a Windows 10 VM running in ESXi that we want to be able to run posturing on and push a remediation vlan to it if it's out of compliance. The VM sits in a host and is connected via a VDS.

Is there any way of ISE pushing a COA for a VLAN to a VDS that anyone has come across?

Best, Leigh

Colby LeMaire · ‎09-30-2020

VMware VDS is not a supported access switch for ISE or 802.1x. It does not support RADIUS so you cannot send down AV pairs to change VLAN or assign a dACL. And most VMware environments will have the VDS connected to the physical infrastructure using trunk ports which should not be configured for 802.1x.

Now I have used VM's for testing ISE and posture and it works just fine. The catch is that you need to have a physical NIC on the ESXi host dedicated to the VM and then that NIC plugs into a supported access switch. Then from the switches perspective, it is just another 802.1x supplicant/client and you can do VLAN assignment on the access switch. This scenario works fine for lab testing but is not something you would come across in production since it basically defeats the purpose of virtualization.

View solution in original post

Colby LeMaire · ‎09-30-2020

Leigh - The other thing I would add is that dynamic VLAN assignment is not recommended for Windows machines. Especially if they are part of a domain. When you change VLAN's, that means your IP address changes also. This can break GPO's, login scripts, drive mappings, etc. The recommendation would be to use a remediation dACL to restrict access and then once compliant, push down a new dACL that allows full access. In that scenario, the IP address of the client never changes, only the access they have.

View solution in original post

Colby LeMaire · ‎09-30-2020

VMware VDS is not a supported access switch for ISE or 802.1x. It does not support RADIUS so you cannot send down AV pairs to change VLAN or assign a dACL. And most VMware environments will have the VDS connected to the physical infrastructure using trunk ports which should not be configured for 802.1x.

Now I have used VM's for testing ISE and posture and it works just fine. The catch is that you need to have a physical NIC on the ESXi host dedicated to the VM and then that NIC plugs into a supported access switch. Then from the switches perspective, it is just another 802.1x supplicant/client and you can do VLAN assignment on the access switch. This scenario works fine for lab testing but is not something you would come across in production since it basically defeats the purpose of virtualization.

leighharrison · ‎09-30-2020

Hi Colby,

Many thanks for your response. That’s the way we’re leaning with a dedicated NIC.

Best, Leigh

Colby LeMaire · ‎09-30-2020

Leigh - The other thing I would add is that dynamic VLAN assignment is not recommended for Windows machines. Especially if they are part of a domain. When you change VLAN's, that means your IP address changes also. This can break GPO's, login scripts, drive mappings, etc. The recommendation would be to use a remediation dACL to restrict access and then once compliant, push down a new dACL that allows full access. In that scenario, the IP address of the client never changes, only the access they have.

leighharrison · ‎09-30-2020

Thanks Colby, Great tip!