03-26-2017 09:24 PM
Hi - I got the below question from a partner. Any guidance would be great!
Summary
When a client connects over VPN they are authenticated against ISE and they are initially “Posture Status: Unknown” state, this causes them to get the redirect authorisation profile. This is fine initially as it means they get provisioned etc.. on subsequent connections when they are fully provisioned though they still are “Posture Status: Unknown” on initial connection.
When Windows O/S does a “Internet Availability Check” it triggers the redirect which means clients always get sent to the client provisioning portal in browser on every connection. This is not ideal as the client is already provisioned and caused a bit of confusion.
I need the redirect to be in place or else clients can’t be provisioned.
Pseudo Code of Authorisation Policy
- If Compliant then compliant_access
- If Non-Compliant then noncompliant_access
- If Unknown then redirect to client provisioning
My Solution
My solution at the moment is to have a “provisioning” profile and “production” profile on the ASA. When the client first connects and is provisioned with the client, I am also pushing profiles which change the default connection to a new VPN profile. The ISE posture module is configured with a profile which points it at ISE on subsequent connections.
I use policy sets on ISE so the production VPN profile uses a different policy set. This authorisation profile on ISE still has a redirect in place for “Posture Status:Unknown” but with a “deny all” ACL so nothing is ever redirected. (If don’t have a redirect in place it screws up the ISE logging).
It also uses an ASA filter to ensure limited access before posture status is updated. I tried using a DACL but this overwrites the user identity with ACL name for reporting.
Problem
My solution works, but I am concerned because seems a bit of a hack and if upgrade ISE or change anything potentially it breaks. I am surprised that only a few people seem to have encountered this problem or are living with it. The design is as per Cisco documentation for the original profile, so assume the redirection on subsequent connections is happening for anyone doing ASA posture assessment.
ISE 2.2 had some posture assessment enhancements but they are fairly poorly documented so not sure if they resolve this issue. Customer is using ISE 2.0, they can’t upgrade to 2.1 or 2.2 because ESXi is only 5.0 currently.
Any thoughts how this can be addressed more elegantly?
Solved! Go to Solution.
03-27-2017 09:51 AM
Another option is to only redirect on certain sites to allow the user to provision the agent. Example: provision.yourdomain.com, your discovery host would also be provision.domain.com, this will need to be a resolvable host in your environment for redirect to work as well.
In ISE 2.2 and anyconnect 4.4 we don’t require redirect. This may help you as well. But i see you can't move to 2.2 as of yet
03-27-2017 08:39 AM
You should only see this problem potentially if you are doing non-split tunneling VPNs. For many of my customers with the layered security they are applying to the endpoints they are doing split-tunnel so Internet availability check should be a non-issue. The posture module's main way to detect what PSN to report posture to is by doing a port 80 call to the default gateway. So the only thing you really need to redirect is that traffic.
You could block internal access, expect access to the PSNs, but allow Internet access in the posture unknown state.
03-27-2017 09:51 AM
Another option is to only redirect on certain sites to allow the user to provision the agent. Example: provision.yourdomain.com, your discovery host would also be provision.domain.com, this will need to be a resolvable host in your environment for redirect to work as well.
In ISE 2.2 and anyconnect 4.4 we don’t require redirect. This may help you as well. But i see you can't move to 2.2 as of yet
03-27-2017 07:23 PM
jakunst Do you have any documentation on how ISE 2.2 and AnyConnect 4.4 can be configured not to require redirect?
03-28-2017 10:21 AM
I have asked the SME to reach out and reply
03-28-2017 10:28 AM
Awesome, thanks so much.
06-09-2017 04:22 AM
Hi Jason,
Did you find out how we can configure ISE 2.2 and AnyConnect 4.4 to not require redirect ?
06-09-2017 07:57 AM
GOLDLab: SEC-ISE 2.2 Update Lab
@ SalesConnect has an exercise on that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide