cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3436
Views
6
Helpful
10
Replies
xili5
Cisco Employee

ISE posture deployment without CPP

Hi,

I am trying deploy ise posture testing without Client Provisioning Portal. What I already have done is

On test pc(windows7):

1. install anyconnect ise posture module by msi installer

2. install anyconnect compliance module by msi installer

3. use profile editor to create posture profile, name this file as ISEPostureCFG.xml and place it to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture:

I designate discovery host as ISE ip address and all other settings are kept unchanged.

On ISE(2.3)

1. upload the anyconnect and compliance module package, create anyconnect configure and profile which include discovery host as ISE ip address.

2. create client provisioning policy.

3. create posture policy

Then I begin to test. I disable and reenable local network connection on test pc to trigger anyconnect posture check, but unfortunately it always showed me that no policy server detected. I can ping ise from test pc and there is no firewall between them. 

Do I miss something for this deployment? If this deployment should work, how could i troubleshoot for this issue?

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

I would suggest to use WireShark or the like on the endpoint to check for connection attempts. If that does not help, please generate an AnyConnect DART and engage Cisco TAC to check it out. Many of the AnyConnect events are viewable in Windows event viewer but there might be too many to be easily digestible.

Screen Shot 2018-04-24 at 9.05.54 PM.png

View solution in original post

10 REPLIES 10
Ping Zhou
Collaborator

Hi Xin,

Please review this TAC paper and verify your settings.

Posture Services on the Cisco ISE Configuration Guide - Cisco

And I just learded that Discovery Host(DH) field should be a routeable target on your network which triggers URL redirect, not the PSN IP/FQDN itself. Or, see how it behaves if you leave DH blank.

paul
Advocate

The discovery host is just a DNS name that the posture module makes a port 80 call to expecting to receive a URL redirect back from the switch that points it to the correct PSN to report posture to.  If you are trying to do this without URL redirection you would look at a Call Home list. 

Are you trying to do this without URL redirection?

xili5
Cisco Employee

Hi Zhou and Paul,

I know how to deploy ISE posture by URL redirection and just wanted to confirm if URL redirection is a must for client to discovery policy server. As I understand, local ise posture profile could help client find the ISE after defining discovery host or call home. Maybe it is not the case. Do I have to create an authorization rule that if posture status is unknown, then push a redirect url of client provisioning portal?

If you use Call Home list you shouldn’t need the redirects.

Sent from my iPhone

xili5
Cisco Employee

I use call home list, but still no luck. Is there anyway to find logs on what happen and why can't discovery policy server.

Capture.png

hslai
Cisco Employee

I would suggest to use WireShark or the like on the endpoint to check for connection attempts. If that does not help, please generate an AnyConnect DART and engage Cisco TAC to check it out. Many of the AnyConnect events are viewable in Windows event viewer but there might be too many to be easily digestible.

Screen Shot 2018-04-24 at 9.05.54 PM.png

View solution in original post

xili5
Cisco Employee

I find that after one successful authentication process, whatever by 802.1x or VPN connection, then anyconnect posture module is able to contact ISE and download posture profile from ISE. From the next time, disable/enable network connection or logout/login to trigger posture check, anyconnect posture module is able to contact ISE and conduct posture checking, no need to have 802.1x or VPN process. It seems that posture profile must be downloaded from ISE, it is not enough to have posture working by only placing offline-created posture file to the local disk.

I compare posture profile downloaded from ISE with the profile created by profile editor, the only difference is that posture profile downloaded from ISE includes "publicKey“. So I guest anyconnect posture module need this key to communicate with ISE.

screenshot-postureprofile.png

hslai
Cisco Employee

Many thanks for sharing your results. We will check with the team.

hslai
Cisco Employee

It might be an issue with file permissions.

Earlier this week, I used ASDM to edit a profile for ISE posture module and resulted with no PublicKey element. The ASA performed the web deploy to download the profile to the endpoint during VPN connection, and the ISE posture worked ok.

Screen Shot 2018-06-16 at 5.28.16 PM.png

Our engineering team mentioned the publicKey is from each PSN. After AC ISE posture module find the PSN, the PSN will download the ISEPostureCFG along with its publicKey element and the module will use this publicKey to encrypt the posture reports.

@xili5 

 

Thanks for posting your solution.  I was attempting the same scenario as you and couldn't figure out why I was getting "no policy server detected" after manually placing the ISEPostureCFG.xml in the correct path.  It began working just as you say after I had the endpoint perform some kind of authentication against ISE (in my case, it was just a MAB auth).  After the MAB auth, the PSN pushed its version of the ISEPostureCFG.xml to my endpoint.  The only difference was the <PublicKey> tag was added.  I'm trying to find out if it is possible to determine this public key ahead of time.  It doesn't appear to be the public key associated with any of ISE's system certificates.  Did you ever figure out where this key comes from?

 

Thanks again!

Content for Community-Ad