01-25-2021 07:56 AM
ISE 2.7 patch 3
AnyConnect 4.8
MacOS
Smartcard
I am trying to install Anyconnect posturing on a MacOS manually (i.e. no JAMF or Mac Server). I install the application and place the ISEPostureCFG.xml file in the opt/cisco/anyconnect/profile/ folder. This file points to the correct PSNs.
When We attempt to scan it can't locate the servers.
Any idea why? I don't believe it's a firewall issue.
Thanks
01-25-2021 08:46 AM - edited 01-25-2021 08:49 AM
During client onboarding when the client posture status is 'Posture Unknown' do you apply a dacl of some sort limiting connectivity? Ensure that in this state access to the PSNs is allowed. List of ports:
----
Posture
- Discovery
- Provisioning
- Assessment/ Heartbeat
Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)
Note : By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.
Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.
Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).
Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)
Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.
Provisioning - NAC Agent Install: TCP/8443
Provisioning - NAC Agent Update Notification: UDP/8905
Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)
Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)
Assessment - PRA/Keep-alive: UDP/8905
----
HTH!
01-25-2021 09:02 AM
Yes. The switch's local ACL is "Deny" (i.e. no redirect) ISE ip with the listed ports.
01-25-2021 01:21 PM
If possible please share your ACL.
01-28-2021 09:22 AM
POSTURE-REDIRECT
remark DNS
deny udp any any eq domain
remark DHCP
deny udp any eq bootpc any eq bootps
remark RDP connection
deny tcp any eq 3389 any
remark Drive Mapping ports
deny udp any any range netbios-ns netbios-dgm
deny tcp any any eq 139
deny tcp any any eq 445
remark ISE Server
deny tcp any host ISE1 eq 8905
deny udp any host ISE1 eq 8905
deny tcp any host ISE1 eq 8909
deny udp any host ISE1 eq 8909
deny tcp any host ISE1 eq 8443
deny udp any host ISE2 eq 8905
deny tcp any host ISE2 eq 8905
deny udp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8909
deny tcp any host ISE2 eq 8443
remark Redirect everything else
permit ip any any
01-28-2021 10:42 AM
Hi @KelvinT
first of all ... you said "ISE 2.7 P3" ... could you please double check ?
Your REDIRECT ACL looks fine ... could you please:
1. delete the /opt/cisco/anyconnect/profile/ISEPostureCFG.xml file
2. connect again
3. double check if the Supplicant is able to download the ISEPostureCFG.xml
Hope this helps
01-28-2021 11:56 AM
Hello,
actually ISE 2.7 P2
ill try this and let you know what happen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide