cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

693
Views
0
Helpful
4
Replies
aslam.bajwa
Participant

Cisco ISE Pre and Post Posture

Hi All , 

 

we have cisco ISE 2.4 ,  Distributed deployment with Wired , Wireless and VPN.

 

currently we have  Pre-Posture configuration ( i.e. we have to enable http server on Cisco Switches for redirect ) .

 

can we move to Post-posture configuration ? currently we have more then 800 hundred users in production ..

 

what cisco best practices says  ? should we go for Post-Posture configuration 

 

 

Regards , 

1 ACCEPTED SOLUTION

Accepted Solutions

Well if you control the endpoints and can pre-deploy the configuration xml file and anyconnect posture client, you don't need the redirect ACL. Which saves on configuration and complexity. You can also manually provision the client, but browsing to the CPP webpage.

However if haven't pre-deployed the anyconnect client and xml configuration file and you want the client to automatically be redirected to the CPP to provision the agent and configuration then you will need the redirection ACL.

So it's not necessarily about best practice, it's about your scenario and if the endpoints have the configuration/agent. Ideally IMO you'd pre-deploy the necessary configuration files and anyconnect agent, then you don't need the redirection ACL but just rely on the call home list.

View solution in original post

4 REPLIES 4
Rob Ingram
VIP Mentor

Hi,

I assume you referring to post ISE 2.2 posture which does not require a redirect? You need to pre-provision the AnyConnect client and the ISEPostureCFG.XML configuration file, this need to be configured with call home list in order to start the posture process. Reference here.

 

HTH

Hi RJI , 

 

many thanks for your reply .

 

correct , i am asking about post ISE 2.2 posture , but my man concern is what is the cisco best practices and recommendations.

 

 Pre-Posture or Post posture 

Well if you control the endpoints and can pre-deploy the configuration xml file and anyconnect posture client, you don't need the redirect ACL. Which saves on configuration and complexity. You can also manually provision the client, but browsing to the CPP webpage.

However if haven't pre-deployed the anyconnect client and xml configuration file and you want the client to automatically be redirected to the CPP to provision the agent and configuration then you will need the redirection ACL.

So it's not necessarily about best practice, it's about your scenario and if the endpoints have the configuration/agent. Ideally IMO you'd pre-deploy the necessary configuration files and anyconnect agent, then you don't need the redirection ACL but just rely on the call home list.

View solution in original post

Content for Community-Ad