Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
6
Replies

ISE 2.4 patch5 - Anyconnect with posture issue on win10&win7

startx001
Level 1
Level 1

‎02-18-2019 03:43 AM

Hi,

Posture on Anyconnect is not working ok.

Client stuck in pending status and after some long time switch to compliant status.

 

Problem is solved when client is connects to wifi, then in that case client download all files and after that VPN with posture is working as expected.

 

But i need client without connecting to wifi be able to normaly connect to VPN and use posture .

Problem si solved copying  ISEPostureCFG.xml to location  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE.

 

New problem that shows up is that win10 and win7 after some time delete ISEPostureCFG.xml  and posture on Anyconnect VPN is not working again.

Someone had same issue?

 

Kind Regards,

VZ

 

 

 

 

0 Helpful
6 Replies 6

paul
Level 10
Level 10

‎02-18-2019 05:43 AM

Having to prepopulate your ISEPostureCFG.xml to get things to works means posture discovery isn't working on VPN.  If everything is setup correctly the client should be able to have a fresh install of AnyConnect Posture Module with no ISEPostureCFG.xml and still be able to posture. 

 

How do you have your posture discovery setup?  I usually use the redirect to enroll.cisco.com trick:

 

access-list POSTURE-REDIRECT extended permit ip any host 72.163.1.80

access-list POSTURE-REDIRECT extended deny ip any any

 

Apply that ACL in the VPN unknown state as a redirect ACL to the client provisioning portal.  If the redirection is working the client (as a test) should be able to surf to http://enroll.cisco.com and get the client provisioning portal.  If this work the ISE posture module will discover the correct PSN to report posture to even without the config XML file.

 

Read more posture discovery here:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

0 Helpful

startx001
Level 1
Level 1
In response to paul

‎02-18-2019 06:04 AM

On ASA i use ACL for redirect

 

access-list ISE-REDIRECT-POSTURE extended deny udp any any eq domain 
access-list ISE-REDIRECT-POSTURE extended deny ip any host  <primary_ISE_IP> 
access-list ISE-REDIRECT-POSTURE extended deny ip any host <secondary_ISE_IP> 
access-list ISE-REDIRECT-POSTURE extended permit tcp any any eq www 
 
and also i use DACL to grant correct access for client.
0 Helpful

paul
Level 10
Level 10
In response to startx001

‎02-18-2019 06:08 AM

If you are doing split-tunneling you have to make sure traffic to the enroll.cisco.com IP is sent across the VPN.  If the client pulls up http://enroll.cisco.com do they get the client provisioning portal?  If you aren't using the client provisioning portal to install the AnyConnect Posture module I wouldn't redirect all web traffic to the portal.  Doing so causes confusion and client might try to reinstall AnyConnect for now reason.  You can use the DACL to limit access, but the only thing you need in your redirect ACL is enroll.cisco.com IP.

0 Helpful

startx001
Level 1
Level 1
In response to paul

‎02-18-2019 06:22 AM

HI ,

 

I'm not using  portal to install the AnyConnect Posture module. i Install modules manually.

So what ports should i redirect instead www and/or 8443  in redirect ACL on ASA?

 

my DACL looks like this 

 

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit tcp any host <primary_ISE_IP> eq 8905
permit udp any host <primary_ISE_IP> eq 8905
permit tcp any host <primary_ISE_IP> eq 8909
permit udp any host <primary_ISE_IP> eq 8909
permit tcp any host <secondary_ISE_IP> eq 8905
permit udp any host <secondary_ISE_IP> eq 8905
permit tcp any host <secondary_ISE_IP> eq 8909
permit udp any host <secondary_ISE_IP> eq 8909
permit tcp any host <primary_ISE_IP> eq 8443
permit tcp any host <secondary_ISE_IP> eq 8443
permit tcp any host 72.163.1.80
deny ip any any

 

0 Helpful

paul
Level 10
Level 10
In response to startx001

‎02-18-2019 06:30 AM

I would simplify your DACL to this:


permit udp any any eq 53
permit ip any host
permit ip any host

permit tcp any host 72.163.1.80 eq 80

deny ip any any



Your redirect ACL applied in the Unknown result should look like this:



access-list POSTURE-REDIRECT extended permit tcp any host 72.163.1.80 eq 80

access-list POSTURE-REDIRECT extended deny ip any any



Like I said the real test is to make sure on the VPN client http://enroll.cisco.com gets redirected to the client provisioning portal.
0 Helpful

startx001
Level 1
Level 1
In response to paul

‎02-18-2019 07:36 AM

OK Thanks,

Just one last.

Which version of AnyConnect Compliance Module do you use? 

i was using until yesterday version 4.3.405.2048 and saw that with no reason compliance module dissapear from windows. 

(like someone uninstall it) 

Now i changed to new version 4.3.484.6144 and i will see if there is some change.

0 Helpful
Customers Also Viewed These Support Documents