Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2307
Views
1
Helpful
7
Replies

ISE posture issues over VPN

Go to solution
jatinps
Cisco Employee
Cisco Employee

‎03-26-2017 09:24 PM

Hi - I got the below question from a partner. Any guidance would be great!

Summary

When a client connects over VPN they are authenticated against ISE and they are initially “Posture Status: Unknown” state, this causes them to get the redirect authorisation profile. This is fine initially as it means they get provisioned etc.. on subsequent connections when they are fully provisioned though they still are “Posture Status: Unknown” on initial connection.

When Windows O/S does a “Internet Availability Check” it triggers the redirect which means clients always get sent to the client provisioning portal in browser on every connection. This is not ideal as the client is already provisioned and caused a bit of confusion.

I need the redirect to be in place or else clients can’t be provisioned.

Pseudo Code of Authorisation Policy

-    If Compliant then compliant_access

-    If Non-Compliant then noncompliant_access

-    If Unknown then redirect to client provisioning

My Solution

My solution at the moment is to have a “provisioning” profile and “production” profile on the ASA. When the client first connects and is provisioned with the client, I am also pushing profiles which change the default connection to a new VPN profile. The ISE posture module is configured with a profile which points it at ISE on subsequent connections.

I use policy sets on ISE so the production VPN profile uses a different policy set. This authorisation profile on ISE still has a redirect in place for “Posture Status:Unknown” but with a “deny all” ACL so nothing is ever redirected. (If don’t have a redirect in place it screws up the ISE logging).

It also uses an ASA filter to ensure limited access before posture status is updated. I tried using a DACL but this overwrites the user identity with ACL name for reporting.

Problem

My solution works, but I am concerned because seems a bit of a hack and if upgrade ISE or change anything potentially it breaks. I am surprised that only a few people seem to have encountered this problem or are living with it. The design is as per Cisco documentation for the original profile, so assume the redirection on subsequent connections is happening for anyone doing ASA posture assessment.

ISE 2.2 had some posture assessment enhancements but they are fairly poorly documented so not sure if they resolve this issue. Customer is using ISE 2.0, they can’t upgrade to 2.1 or 2.2 because ESXi is only 5.0 currently.

Any thoughts how this can be addressed more elegantly?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2017 09:51 AM

Another option is to only redirect on certain sites to allow the user to provision the agent. Example: provision.yourdomain.com, your discovery host would also be provision.domain.com, this will need to be a resolvable host in your environment for redirect to work as well.

In ISE 2.2 and anyconnect 4.4 we don’t require redirect. This may help you as well. But i see you can't move to 2.2 as of yet

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul
Level 10
Level 10

‎03-27-2017 08:39 AM

You should only see this problem potentially if you are doing non-split tunneling VPNs.  For many of my customers with the layered security they are applying to the endpoints they are doing split-tunnel so Internet availability check should be a non-issue.  The posture module's main way to detect what PSN to report posture to is by doing a port 80 call to the default gateway.  So the only thing you really need to redirect is that traffic. 

You could block internal access, expect access to the PSNs, but allow Internet access in the posture unknown state. 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2017 09:51 AM

Another option is to only redirect on certain sites to allow the user to provision the agent. Example: provision.yourdomain.com, your discovery host would also be provision.domain.com, this will need to be a resolvable host in your environment for redirect to work as well.

In ISE 2.2 and anyconnect 4.4 we don’t require redirect. This may help you as well. But i see you can't move to 2.2 as of yet

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1
In response to Jason Kunst

‎03-27-2017 07:23 PM

jakunst  Do you have any documentation on how ISE 2.2 and AnyConnect 4.4 can be configured not to require redirect?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Network Engineering

‎03-28-2017 10:21 AM

I have asked the SME to reach out and reply

0 Helpful

Go to solution
Network Engineering
Level 1
Level 1
In response to Jason Kunst

‎03-28-2017 10:28 AM

Awesome, thanks so much.

0 Helpful

Go to solution
gunnar.liknes
Level 1
Level 1
In response to Jason Kunst

‎06-09-2017 04:22 AM

Hi Jason,

Did you find out how we can configure ISE 2.2 and AnyConnect 4.4 to not require redirect ?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to gunnar.liknes

‎06-09-2017 07:57 AM

GOLDLab: SEC-ISE 2.2 Update Lab

@ SalesConnect has an exercise on that.

Also see ISE posture style comparison for pre and post 2.2

0 Helpful
Customers Also Viewed These Support Documents