cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

456
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

ISE BYOD + Anyconnect

Hi Team,

Working on a ISE Design here. The customer is using Anyconnect on all machines and we are doing posture checking for AV product installed before allowing the device.  They don’t have any BYOD hosts that need posture checks via the web portal.

Unfortunately the users keep getting internet explorer pop-ups when they logon because the AnyConnect client is taking some time to initialise. These popups are being generated because Windows is trying to access the internet and getting redirected to the posture portal. Once Anyconnect comes up it initializes and does the posture check from then on it works fine (apart from but the posture popup on the initial logon which is annoying).

We are looking at ways to improve the user experience.  Need your inputs on the following design questions :

  • Do we even need a http posture portal if every user has AnyConnect installed ?   Can we disable or delay the portal redirect somehow ?
  • Am I right in saying that the remediation portal is only blocking ports 80 and 443 from accessing the network (due redirect) while under posture assessment is underway ? e.g. the user could still browse to file shares on the network
  • Can we just block all network access until Anyconnect has started and done the posture assessment ? a redirect only for 80 and 443 doesn’t seem very secure. 
  • Is there any way to speed up the Anyconnect initialization so that it completes posture checks before the user logs on ?
  • Can you point me to any good doco about our options in this regard ?

Regards,

Anshul    

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

As you are seeing, posturing happens very late in the login sequence as it is a service that runs after login.  If you try to block too much traffic preposture you are going to end up breaking all the prelogin functions and the login script functions that run as the users login. 

What I usually tell customers is the preposture state needs to be noticeable but not-detrimental to business functions.  I usually advocate blocking Internet access in the preposture state.  This is definitely noticeable but typically not detrimental to the prelogin and login script functions. 

Remember these devices have proven they are corporate assets already by doing 802.1x authentication so they have established some level of trust.

You don't need to redirect all traffic.  If the AC posture is being installed by some other means than the client provisioning portal (I never use the CP portal to install it other than lab testing), then you only need the redirect to help with the posture module discovery process.  The only port 80 traffic you need to redirect is port 80 to the client's default gateway.  If you are doing this on wired and the client has .1 as the DGs on a 10.x.x.x network you can do it with one line:

permit tcp any 10.0.0.1 0.255.255.0 eq 80

So you could use a DACL to allow/deny whatever traffic you want then the redirect ACL just redirecting traffic to the DG for posture discovery.  That should stop the browser from popping up.

View solution in original post

1 REPLY 1
Highlighted
VIP Advocate

As you are seeing, posturing happens very late in the login sequence as it is a service that runs after login.  If you try to block too much traffic preposture you are going to end up breaking all the prelogin functions and the login script functions that run as the users login. 

What I usually tell customers is the preposture state needs to be noticeable but not-detrimental to business functions.  I usually advocate blocking Internet access in the preposture state.  This is definitely noticeable but typically not detrimental to the prelogin and login script functions. 

Remember these devices have proven they are corporate assets already by doing 802.1x authentication so they have established some level of trust.

You don't need to redirect all traffic.  If the AC posture is being installed by some other means than the client provisioning portal (I never use the CP portal to install it other than lab testing), then you only need the redirect to help with the posture module discovery process.  The only port 80 traffic you need to redirect is port 80 to the client's default gateway.  If you are doing this on wired and the client has .1 as the DGs on a 10.x.x.x network you can do it with one line:

permit tcp any 10.0.0.1 0.255.255.0 eq 80

So you could use a DACL to allow/deny whatever traffic you want then the redirect ACL just redirecting traffic to the DG for posture discovery.  That should stop the browser from popping up.

View solution in original post

Content for Community-Ad