08-15-2017 07:32 PM
Hi Team,
Working on a ISE Design here. The customer is using Anyconnect on all machines and we are doing posture checking for AV product installed before allowing the device. They don’t have any BYOD hosts that need posture checks via the web portal.
Unfortunately the users keep getting internet explorer pop-ups when they logon because the AnyConnect client is taking some time to initialise. These popups are being generated because Windows is trying to access the internet and getting redirected to the posture portal. Once Anyconnect comes up it initializes and does the posture check from then on it works fine (apart from but the posture popup on the initial logon which is annoying).
We are looking at ways to improve the user experience. Need your inputs on the following design questions :
Regards,
Anshul
Solved! Go to Solution.
08-15-2017 09:56 PM
As you are seeing, posturing happens very late in the login sequence as it is a service that runs after login. If you try to block too much traffic preposture you are going to end up breaking all the prelogin functions and the login script functions that run as the users login.
What I usually tell customers is the preposture state needs to be noticeable but not-detrimental to business functions. I usually advocate blocking Internet access in the preposture state. This is definitely noticeable but typically not detrimental to the prelogin and login script functions.
Remember these devices have proven they are corporate assets already by doing 802.1x authentication so they have established some level of trust.
You don't need to redirect all traffic. If the AC posture is being installed by some other means than the client provisioning portal (I never use the CP portal to install it other than lab testing), then you only need the redirect to help with the posture module discovery process. The only port 80 traffic you need to redirect is port 80 to the client's default gateway. If you are doing this on wired and the client has .1 as the DGs on a 10.x.x.x network you can do it with one line:
permit tcp any 10.0.0.1 0.255.255.0 eq 80
So you could use a DACL to allow/deny whatever traffic you want then the redirect ACL just redirecting traffic to the DG for posture discovery. That should stop the browser from popping up.
08-15-2017 09:56 PM
As you are seeing, posturing happens very late in the login sequence as it is a service that runs after login. If you try to block too much traffic preposture you are going to end up breaking all the prelogin functions and the login script functions that run as the users login.
What I usually tell customers is the preposture state needs to be noticeable but not-detrimental to business functions. I usually advocate blocking Internet access in the preposture state. This is definitely noticeable but typically not detrimental to the prelogin and login script functions.
Remember these devices have proven they are corporate assets already by doing 802.1x authentication so they have established some level of trust.
You don't need to redirect all traffic. If the AC posture is being installed by some other means than the client provisioning portal (I never use the CP portal to install it other than lab testing), then you only need the redirect to help with the posture module discovery process. The only port 80 traffic you need to redirect is port 80 to the client's default gateway. If you are doing this on wired and the client has .1 as the DGs on a 10.x.x.x network you can do it with one line:
permit tcp any 10.0.0.1 0.255.255.0 eq 80
So you could use a DACL to allow/deny whatever traffic you want then the redirect ACL just redirecting traffic to the DG for posture discovery. That should stop the browser from popping up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide