Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1510
Views
0
Helpful
4
Replies

Cisco ISE Pre and Post Posture

Go to solution
aslam.bajwa
Level 3
Level 3

‎10-06-2019 03:00 AM

Hi All , 

 

we have cisco ISE 2.4 ,  Distributed deployment with Wired , Wireless and VPN.

 

currently we have  Pre-Posture configuration ( i.e. we have to enable http server on Cisco Switches for redirect ) .

 

can we move to Post-posture configuration ? currently we have more then 800 hundred users in production ..

 

what cisco best practices says  ? should we go for Post-Posture configuration 

 

 

Regards , 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to aslam.bajwa

‎10-06-2019 04:21 AM

Well if you control the endpoints and can pre-deploy the configuration xml file and anyconnect posture client, you don't need the redirect ACL. Which saves on configuration and complexity. You can also manually provision the client, but browsing to the CPP webpage.

However if haven't pre-deployed the anyconnect client and xml configuration file and you want the client to automatically be redirected to the CPP to provision the agent and configuration then you will need the redirection ACL.

So it's not necessarily about best practice, it's about your scenario and if the endpoints have the configuration/agent. Ideally IMO you'd pre-deploy the necessary configuration files and anyconnect agent, then you don't need the redirection ACL but just rely on the call home list.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-06-2019 03:13 AM

Hi,

I assume you referring to post ISE 2.2 posture which does not require a redirect? You need to pre-provision the AnyConnect client and the ISEPostureCFG.XML configuration file, this need to be configured with call home list in order to start the posture process. Reference here.

 

HTH

0 Helpful

Go to solution
aslam.bajwa
Level 3
Level 3
In response to Rob Ingram

‎10-06-2019 03:43 AM

Hi RJI , 

 

many thanks for your reply .

 

correct , i am asking about post ISE 2.2 posture , but my man concern is what is the cisco best practices and recommendations.

 

 Pre-Posture or Post posture 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to aslam.bajwa

‎10-06-2019 04:21 AM

Well if you control the endpoints and can pre-deploy the configuration xml file and anyconnect posture client, you don't need the redirect ACL. Which saves on configuration and complexity. You can also manually provision the client, but browsing to the CPP webpage.

However if haven't pre-deployed the anyconnect client and xml configuration file and you want the client to automatically be redirected to the CPP to provision the agent and configuration then you will need the redirection ACL.

So it's not necessarily about best practice, it's about your scenario and if the endpoints have the configuration/agent. Ideally IMO you'd pre-deploy the necessary configuration files and anyconnect agent, then you don't need the redirection ACL but just rely on the call home list.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents