cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
1
Helpful
3
Replies

ISE 2.3 Posture on Two Different Deployments

Cory Peterson
Level 5
Level 5

Hello,

I am currently deploying ISE 2.3 with posture (Lets call it Deployment A) and we have some employees that have to VPN(AnyConnect) in to another organization (Deployment B) that is also running ISE posture.

Previously when they connected to Deployment B before we installed the posture agent on their machine they would connect no problem, no posturing was taking place. Once the posture agent for Deployment A was installed they are now failing posture in Deployment B and are not able to VPN in because the Deployment B ISE servers were not trusted.

I have tried a couple options:

Option 1:

Add Deployment B servers in the allowed server list. This is messy as it downloads the Deployment B Posture config, then when returning back they are now locked out because Deployment B's config is not trusting Deployment A's ISE server. Deployment B could add Deployment A's servers as trusted, but evey time they switch between them they download a new config.

Option 2:

Exempt these employees from Posture for Deployment A, also not something we want to do.

Option 3:

Require the users to use a local VM to connect to Deployment B, also not a good option as many of these users are not tech savvy.

Option 4:

Have Deployment B exempt these users from posture, they were not being postured before they had the agent so it is no different now.

Is there any other options that could take place without Deployment B having to make changes on their end?

Thank You,

-Cory

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

Why is Department B's ISE config allowing posture discovery to even work for Department A users connections.  Their should be no redirect URL applied to their session so they should not find any servers to talk to.  That is your option 4 basically which is what I would lean towards.

Department A shouldn't get full access to Department B's network I would assume. 

View solution in original post

3 Replies 3

paul
Level 10
Level 10

Why is Department B's ISE config allowing posture discovery to even work for Department A users connections.  Their should be no redirect URL applied to their session so they should not find any servers to talk to.  That is your option 4 basically which is what I would lean towards.

Department A shouldn't get full access to Department B's network I would assume. 

hslai
Cisco Employee
Cisco Employee

I also agree with what Paul said and option 4.

The authorization and the posture policy at Department B need consistency on the user access from Department A.

Cory Peterson
Level 5
Level 5

Thank you for Confirming this that is the option I have been presenting from the beginning. I don't have access to Deployment B hopefully I can get them to change this.