Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
15
Helpful
3
Replies

Is VPN and DNS server essential in posture process

jinyuanbao
Level 1
Level 1

‎08-01-2022 01:44 AM - edited ‎08-01-2022 03:09 AM

 

Hi guys,

I'm using mab as authentication method to fulfill posture,log.png

 

 and in win10 successfully redirect to the cpp webpage, 

webpagepng.png

then i download the package and open it

exefile.png

 

then it failed in this step, says couldn't connect to the server

couldn't connect to server.png

 

So why it failed in this step, 

I've read some configuration example documents, and nearly all of them list cisco asa vpn as a requirement, i don't have asa, and don't understand why vpn is a must.

And i figured maybe it's the DNS issue, i don't deploy DNS server in my environment, the pc can't resolve some domain names and can't procceed further, so is DNS server a must, can i just set somewhere to let endpoints just fetch resources from the ise's ip address.

Thanks in advance!!

0 Helpful
3 Replies 3

Kasun Bandara
VIP
VIP

‎08-01-2022 03:55 AM

ASA VPN is not must. Error says, your client PC cannot connect to ISE server. you need to deploy small DNS server and configure it to resolve ISE server domain name to client PC.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Marcelo Morais
VIP
VIP

‎08-01-2022 04:11 AM

Hi @jinyuanbao ,

the Cisco AnyConnect deployment option are:
 - Predeployment (manually or via an SMS/SCCM)
 - Web Deployment (via a Headend: FTDASA or ISE 2.0+)

In your case you need the AnyConnect ISE Posture, check the Authorization Profiles (at Work Centers > Posture > Policy Elements > Authorization Profiles) for your Authorization Policy called Unknown-Compliance, double check your ACL configuration (at ... Authorization Profiles > Common Tasks > Web Redirection).

Hope this helps !!!

Charlie Moreton
Cisco Employee
Cisco Employee

‎08-01-2022 06:35 AM

DNS is a MUST in ISE deployments, including reverse lookups (PTR records).  You also need to configure the Posture profile with the names (or IP Addresses) of your ISE PSNs.  

AnyConnect is used as the agent (as shown in your screenshots) and the ISE Posture Module for AnyConnect is used to assess (and remediate) the posture of your device.  

SO,

1. DNS is needed

2. VPN is not needed, but AnyConnect does a LOT more than VPN

Customers Also Viewed These Support Documents