Solved: Re: ISE BYOD + Anyconnect

ankaushi · ‎08-15-2017

Hi Team,

Working on a ISE Design here. The customer is using Anyconnect on all machines and we are doing posture checking for AV product installed before allowing the device. They don’t have any BYOD hosts that need posture checks via the web portal.

Unfortunately the users keep getting internet explorer pop-ups when they logon because the AnyConnect client is taking some time to initialise. These popups are being generated because Windows is trying to access the internet and getting redirected to the posture portal. Once Anyconnect comes up it initializes and does the posture check from then on it works fine (apart from but the posture popup on the initial logon which is annoying).

We are looking at ways to improve the user experience. Need your inputs on the following design questions :

Do we even need a http posture portal if every user has AnyConnect installed ? Can we disable or delay the portal redirect somehow ?
Am I right in saying that the remediation portal is only blocking ports 80 and 443 from accessing the network (due redirect) while under posture assessment is underway ? e.g. the user could still browse to file shares on the network
Can we just block all network access until Anyconnect has started and done the posture assessment ? a redirect only for 80 and 443 doesn’t seem very secure.
Is there any way to speed up the Anyconnect initialization so that it completes posture checks before the user logs on ?
Can you point me to any good doco about our options in this regard ?

Regards,

Anshul

paul · ‎08-15-2017

As you are seeing, posturing happens very late in the login sequence as it is a service that runs after login. If you try to block too much traffic preposture you are going to end up breaking all the prelogin functions and the login script functions that run as the users login.

What I usually tell customers is the preposture state needs to be noticeable but not-detrimental to business functions. I usually advocate blocking Internet access in the preposture state. This is definitely noticeable but typically not detrimental to the prelogin and login script functions.

Remember these devices have proven they are corporate assets already by doing 802.1x authentication so they have established some level of trust.

You don't need to redirect all traffic. If the AC posture is being installed by some other means than the client provisioning portal (I never use the CP portal to install it other than lab testing), then you only need the redirect to help with the posture module discovery process. The only port 80 traffic you need to redirect is port 80 to the client's default gateway. If you are doing this on wired and the client has .1 as the DGs on a 10.x.x.x network you can do it with one line:

permit tcp any 10.0.0.1 0.255.255.0 eq 80

So you could use a DACL to allow/deny whatever traffic you want then the redirect ACL just redirecting traffic to the DG for posture discovery. That should stop the browser from popping up.

View solution in original post

paul · ‎08-15-2017