Solved: ISE anyconnect posture module with flexconnect

cisco2020 · ‎01-10-2019

ISE 2.3 patch 5

I am trying to do posturing of wireless connection using the anyconnect posture module, but trying to understand how the process actually works. I have AP in flexconnect local switching mode. I read ISE Posture Style Comparison for Pre and Post 2.2 where Anyconnect Posture Module initiates policy server detection by sending 4 types of probes. But is it the same process when flexconnect is configured and doing wireless?

None of these probes will be seen by the WLC hence no redirect-url will be sent to the client. Does the AP intercept the probes instead? Using the flexconnect redirect ACL? And is the redirect-url sent by the AP to the client or by the WLC? I have a firewalls between client and data center where WLC lives, so need to know whether ports need to be open. What should I expect to see in a packet capture on the client?

In my situation since the client is connecting for the very first time and doing first posture, only probes 1 and 2 (HTTP get /auth/discovery to default gateway IP and HTTP GET /auth/discovery to enroll.cisco.com) will be the valid probes right? Probe 3 won't apply since AC posture profile is not preconfigured on the client.

Anyway my issue is that AC cannot detect the policy server, system scan shows no policy server detected. I did a debug client on the WLC and can the radius info with redirect url set from ISE:

*Dot1x_NW_MsgTask_6: Jan 10 15:13:43.088: 40:a3:cc:f0:82:46 AAA Override Url-Redirect-Acl 'ACL-REDIRECT' mapped to ACL ID 255 and Flexconnect ACL ID 4
*Dot1x_NW_MsgTask_6: Jan 10 15:13:43.088: 40:a3:cc:f0:82:46 AAA Override Url-Redirect 'https://psn01.ise.company.com:8443/portal/gateway?sessionId=3cfdca0a000e41cb76c6365c&portal=21f5afe0-e78b-11e8-81fe-0050568fd4cc&acti

Except the client never seems to get it.

Surendra · ‎01-10-2019

You might want to go through https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html . Though this document is for CWA/Guest, the redirection flow and configuration is exactly the same as it does not differ for different use cases. If you configure the WLC/AP as described in the document above, you should not face any issues with redirection.

View solution in original post

Jason Kunst · ‎01-10-2019

Also recommend posture and wireless best practices

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

check this site for posture guides

https://community.cisco.com/t5/security-documents/ise-posture/ta-p/3657443

http://cs.co/ise-guides

View solution in original post

Surendra · ‎01-10-2019

You might want to go through https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html . Though this document is for CWA/Guest, the redirection flow and configuration is exactly the same as it does not differ for different use cases. If you configure the WLC/AP as described in the document above, you should not face any issues with redirection.

Jason Kunst · ‎01-10-2019

Also recommend posture and wireless best practices

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

check this site for posture guides

https://community.cisco.com/t5/security-documents/ise-posture/ta-p/3657443

http://cs.co/ise-guides

Madura Malwatte · ‎05-20-2019

@Surendra

I went through the links, but doesnt explicitly mention about the ISE probes with flexconnect.

Can you confirm the following:

1. Does the AP intercept the probes instead? Using the flexconnect redirect ACL?

2. Is the redirect-url sent by the AP to the client or by the WLC?

I am trying to figure out why probes 1 and 2 (HTTP get /auth/discovery to default gateway IP and HTTP GET /auth/discovery to enroll.cisco.com) is showing as failing in AnyConnect DART bundle.