Can ISE handle client provisioning before anyconnect is installed?

Chape87 · ‎04-03-2018

I'm trying to draw it out and figure out if there is a way to create a policy set to have ISE do the client provisioning for anyconnect itself, the original install. All the demos i see, anyconnect is already installed, and ISE is simply updating anyconnect, adding the modules, and config profiles. So presumably in a large environment they use SCCM or some other deployment tool to install anyconnect the first time.

In our environment we are doing EAP-Chanining, with EAP-TLS for both client and machine. Initially i don't see how it would work as the PC would need to know how to authenticate to ISE to get anyconnect, but it uses anyconnect configs to know how to do that. Is there a work around to this?

Marvin Rhoads · ‎04-03-2018

It's an optional part of the initial flow through the Client Provisioning Portal (CPP).

You go through the flow the first time as an unknown endpoint / user. After providing credentials via the Web UI your session is re-authenticated and the second time through the process you get the AnyConnect client software along with the associated profiles. Once those install you finally get to come in with full EAP-chaining and 802.1x.

Do note however that EAP-chaining for AD-joined Windows 10 computers and users requires a registry change as documented in the AnyConnect release notes. That bit has to be done either via a local admin or pushed via a Windows AD GPO.