Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1898
Views
20
Helpful
6
Replies

ISE 2.7 posturing MacOS installation issue

KelvinT
Level 1
Level 1

‎01-25-2021 07:56 AM

ISE 2.7 patch 3

AnyConnect 4.8

MacOS

Smartcard

 

I am trying to install Anyconnect posturing on a MacOS manually (i.e. no JAMF or Mac Server).  I install the application and place the ISEPostureCFG.xml file in the opt/cisco/anyconnect/profile/ folder.  This file points to the correct PSNs.

 

When We attempt to scan it can't locate the servers.

 

Any idea why?  I don't believe it's a firewall issue.

 

Thanks

 

6 Replies 6

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-25-2021 08:46 AM - edited ‎01-25-2021 08:49 AM

During client onboarding when the client posture status is 'Posture Unknown' do you apply a dacl of some sort limiting connectivity? Ensure that in this state access to the PSNs is allowed.  List of ports:

----

Posture
- Discovery
- Provisioning
- Assessment/ Heartbeat

Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

Note : By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.

Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.

Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).

Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning

Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.

Provisioning - NAC Agent Install: TCP/8443

Provisioning - NAC Agent Update Notification: UDP/8905

Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)

Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)

Assessment - PRA/Keep-alive: UDP/8905

----

HTH!

KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎01-25-2021 09:02 AM

Yes.  The switch's local ACL is "Deny" (i.e. no redirect) ISE ip with the listed ports.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-25-2021 01:21 PM

If possible please share your ACL.

KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎01-28-2021 09:22 AM

POSTURE-REDIRECT
remark DNS
deny udp any any eq domain
remark DHCP
deny udp any eq bootpc any eq bootps
remark RDP connection
deny tcp any eq 3389 any
remark Drive Mapping ports
deny udp any any range netbios-ns netbios-dgm
deny tcp any any eq 139
deny tcp any any eq 445
remark ISE Server
deny tcp any host ISE1 eq 8905
deny udp any host ISE1 eq 8905
deny tcp any host ISE1 eq 8909
deny udp any host ISE1 eq 8909
deny tcp any host ISE1 eq 8443
deny udp any host ISE2 eq 8905
deny tcp any host ISE2 eq 8905
deny udp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8443
remark Redirect everything else
permit ip any any

0 Helpful

Marcelo Morais
VIP
VIP
In response to KelvinT

‎01-28-2021 10:42 AM

Hi @KelvinT

 first of all ... you said "ISE 2.7 P3" ... could you please double check ?

 

 Your REDIRECT ACL looks fine ... could you please:

1. delete the /opt/cisco/anyconnect/profile/ISEPostureCFG.xml file

2. connect again

3. double check if the Supplicant is able to download the ISEPostureCFG.xml

 

Hope this helps

0 Helpful

KelvinT
Level 1
Level 1
In response to Marcelo Morais

‎01-28-2021 11:56 AM

Hello,

 

actually ISE 2.7 P2

 

ill try this and let you know what happen. 

Customers Also Viewed These Support Documents