Re: Anyconnecte posture : how can I modify the connectionData.xml

mmisonne · ‎10-22-2020

Hello

Does anyone knows how to modify the file ConnectionData.xml in posture.

Documentaion says: " Posture module retrieves this file at time of first posture attempt. File contains list of ISE PSNs FQDN. Content of the list might be dynamically updated during next connection attempt…."

Each time I edit this file, it replace it with the original file at the next connection.

However, I need to change it, because the backup PSN in this file does not point to the correct interface of the backup PSN. (Gi0 instead of Gi1)

Here is the content of my ConnectionData.xml:

-<record>
<primary>ise2-gi1-v26.sbs.maq</primary>
<port>8443</port>
<status_path>/auth/status</status_path>
<ng-discovery>/auth/ng-discovery</ng-discovery>
<time>1603384817</time>
-<backups>
<backup>ise1-v26.sbs.maq</backup>
</backups>
</record>
</records>

+++++++++++

I can I change the line :"backup>ise1-v26.sbs.maq</backup>"

to :" backup>ise1-gi1-v26.sbs.maq</backup>"

Michel

Mike.Cifelli · ‎10-22-2020

AFAIK this file should not be manually edited as it is edited upon each connection attempt with the PSNs info. You can utilize the call home field which you configure in your ISE posture profile. The call home feature allows you to configure a list of IP addresses, that defines all the Policy service nodes that the agent will try to connect to if the PSN that authenticated the endpoint doesn't respond for whatever reason. As for the interface situation take a peek at your client provisioning portal under Work Centers->Posture->Client Provisioning->Client Provisioning Portal->Portal Settings: Here you can determine which interface to use for the PSNs. I recommend testing any changes. HTH!

mmisonne · ‎10-23-2020

Thanks for your reply.

Effectively, my portal was configured with GI0 en GI1 enable.

I will test with only GI1 enable and give you the result.

Peter Koltl · ‎10-22-2020

The mentioned posture profile in ISE is downloaded to ISEPostureCFG.xml on the client.

Aref Alsouqi · ‎10-23-2020

You can change the posture agent profile under Client Provisioning > Resources tab.

mmisonne · ‎10-23-2020

Hello

Changing the ISEpostureProfile in ISE, does not change the ConnectionData.xml.

It just change the ISEPostureCFG.xml

Suppose I change in ISEpostureProfile the call home list to

It change the ISEPostureCFG.xml but note the ConnectionData.xml.

But in case of failover, the Posture agent will connect to the Backup mentioned in the ConnectionData.xml

-
ise2-gi1-v26.sbs.maq
8443
/auth/status
/auth/ng-discovery
1603384817
-
ise1-v26.sbs.maq <===== Posture agent attempt in case a failover

Aref Alsouqi · ‎10-23-2020

That's right, but as mentioned, if you populate Call Home List in the posture profile, the connections attempts would go to the servers you added to the Call Home List. However, if the Call Home List is empty, or the connections to the servers in it should fail, the client would try to use the ConnectionData.xml which would always contain the previous connected PSNs.

mmisonne · ‎10-23-2020

I checked with the portal having only GI1 enable.

It does not change anything.

The ConnectionData has still the wrong backup interface ( GI0 insted of GI1))

That case a pb because , in case of PSN failover, the posture agent goes to the wrong interface of the backup PSN, even if the ISEPostureCFG has the correct one.