Solved: Re: ISE posture deployment without CPP

xili5 · ‎04-18-2018

Hi,

I am trying deploy ise posture testing without Client Provisioning Portal. What I already have done is

On test pc(windows7):

1. install anyconnect ise posture module by msi installer

2. install anyconnect compliance module by msi installer

3. use profile editor to create posture profile, name this file as ISEPostureCFG.xml and place it to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture:

I designate discovery host as ISE ip address and all other settings are kept unchanged.

On ISE(2.3)

1. upload the anyconnect and compliance module package, create anyconnect configure and profile which include discovery host as ISE ip address.

2. create client provisioning policy.

3. create posture policy

Then I begin to test. I disable and reenable local network connection on test pc to trigger anyconnect posture check, but unfortunately it always showed me that no policy server detected. I can ping ise from test pc and there is no firewall between them.

Do I miss something for this deployment? If this deployment should work, how could i troubleshoot for this issue?

hslai · ‎04-24-2018

I would suggest to use WireShark or the like on the endpoint to check for connection attempts. If that does not help, please generate an AnyConnect DART and engage Cisco TAC to check it out. Many of the AnyConnect events are viewable in Windows event viewer but there might be too many to be easily digestible.

View solution in original post

Ping Zhou · ‎04-18-2018

Hi Xin,

Please review this TAC paper and verify your settings.

Posture Services on the Cisco ISE Configuration Guide - Cisco

And I just learded that Discovery Host(DH) field should be a routeable target on your network which triggers URL redirect, not the PSN IP/FQDN itself. Or, see how it behaves if you leave DH blank.

paul · ‎04-18-2018

The discovery host is just a DNS name that the posture module makes a port 80 call to expecting to receive a URL redirect back from the switch that points it to the correct PSN to report posture to. If you are trying to do this without URL redirection you would look at a Call Home list.

Are you trying to do this without URL redirection?

xili5 · ‎04-18-2018

Hi Zhou and Paul,

I know how to deploy ISE posture by URL redirection and just wanted to confirm if URL redirection is a must for client to discovery policy server. As I understand, local ise posture profile could help client find the ISE after defining discovery host or call home. Maybe it is not the case. Do I have to create an authorization rule that if posture status is unknown, then push a redirect url of client provisioning portal?

paul · ‎04-18-2018

If you use Call Home list you shouldn’t need the redirects.

Sent from my iPhone

xili5 · ‎04-18-2018

I use call home list, but still no luck. Is there anyway to find logs on what happen and why can't discovery policy server.

hslai · ‎04-24-2018

I would suggest to use WireShark or the like on the endpoint to check for connection attempts. If that does not help, please generate an AnyConnect DART and engage Cisco TAC to check it out. Many of the AnyConnect events are viewable in Windows event viewer but there might be too many to be easily digestible.

xili5 · ‎04-25-2018

I find that after one successful authentication process, whatever by 802.1x or VPN connection, then anyconnect posture module is able to contact ISE and download posture profile from ISE. From the next time, disable/enable network connection or logout/login to trigger posture check, anyconnect posture module is able to contact ISE and conduct posture checking, no need to have 802.1x or VPN process. It seems that posture profile must be downloaded from ISE, it is not enough to have posture working by only placing offline-created posture file to the local disk.

I compare posture profile downloaded from ISE with the profile created by profile editor, the only difference is that posture profile downloaded from ISE includes "publicKey“. So I guest anyconnect posture module need this key to communicate with ISE.

hslai · ‎04-25-2018

Many thanks for sharing your results. We will check with the team.

hslai · ‎06-16-2018

It might be an issue with file permissions.

Earlier this week, I used ASDM to edit a profile for ISE posture module and resulted with no PublicKey element. The ASA performed the web deploy to download the profile to the endpoint during VPN connection, and the ISE posture worked ok.

Our engineering team mentioned the publicKey is from each PSN. After AC ISE posture module find the PSN, the PSN will download the ISEPostureCFG along with its publicKey element and the module will use this publicKey to encrypt the posture reports.

Dominic Zeni · ‎06-07-2019

@xili5

Thanks for posting your solution. I was attempting the same scenario as you and couldn't figure out why I was getting "no policy server detected" after manually placing the ISEPostureCFG.xml in the correct path. It began working just as you say after I had the endpoint perform some kind of authentication against ISE (in my case, it was just a MAB auth). After the MAB auth, the PSN pushed its version of the ISEPostureCFG.xml to my endpoint. The only difference was the <PublicKey> tag was added. I'm trying to find out if it is possible to determine this public key ahead of time. It doesn't appear to be the public key associated with any of ISE's system certificates. Did you ever figure out where this key comes from?

Thanks again!

paralerouss · ‎12-10-2022

Hello @xili5 , @Dominic Zeni , @hslai

Did you manage to get a definitive answer to the topic?

We are interested in manually deploying AnyConnect-Posture module-Compliance module and not use the Client Provisioning Portal at all, as this would require admin privileges to install the software by users.

I understand that ISEPostureCFG.xml can be manually created and copied over to the specified folder, but it won't work if it does not include the PSN public key.

I believe it would be possible to make an initial connection using redirection with a test client, get the ISEPostureCFG.xml from ISE (including the PSN public key) and then copy it over manually to all other clients (which will not need redirection, as they will have the correct file with Call home list).

What is happening if we have multiple PSNs though?

Should the file contain the public key of all PSNs and how can we achieve this?

Would the file need to be updated if ISE certificates get renewed?

I have not managed to find any relevant documentation on the topic.

Kind Regards