cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9009
Views
13
Helpful
7
Replies

ISE Posture profile - How to combine with anyconnect without using Posture Portal in ISE

Andre Liverod
Level 1
Level 1

We are going to use the Anyconnect ISE Compliance module to run posture on clients. However we do not want to use the HTTPS Client Provisioning portal to distribute the client. It will be deployed during image installation or LAN software deployment. I have made an XML file with the Ise Posture Profile editor but i cannot find out what this file need to be named and where to put it to activate the Compliance module. Is it possible to combine these files outside of the ISE setup to be distributed or do I need to use the assemble the files in ISE and download via the Client Provisioning Portal?

1 Accepted Solution

Accepted Solutions

You've deployed the module and the configuration correctly, install MSI file and place ISEPostureCFG.xml in the appropriate folder.

Until ISE 2.2, the posture module relies on web redirection to find the PSN, so you would have to configure the switches to support CWA, including the redirect ACL and the DACL to allow tcp/8443, tcp/8905 and udp/8905 towards all the PSNs that will handle posture.

View solution in original post

7 Replies 7

Charlie Moreton
Cisco Employee
Cisco Employee

Assemble them inside ISE.  If all that is installed as part of your base image is the AnyConnect Client Software, then the compliance module, along with any other AC Modules will be downloaded to the clients when redirected for posture the first time.

Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and download the Compliance Module you will use.  Upload the AnyConnect software here and then create and ISE Posture Profile by clicking the +Add button and selecting NAC Agent or AnyConnect Posture Profile.  Upload any other AD Modules you will use here, as well.

ISE_Posture2.PNG

Now you can ad an AnyConnect Configuration by clicking the +Add button and selecting AnyConnect Configuration.

ISE_Posture3.PNG

This is where the files are referenced such as the ISE Posture Module.

ISE_Posture.PNG

Then go to Policy > Client Provisioning and set your parameters, using the newly created AnyConnect Configuration as the agent in the Results column.

ISE_Posture4.PNG

Not to worry, though, if the version of AnyConnect that is installed on the client is the same that is in ISE, then AnyConnect will not reinstall, it will just download the modules needed.

Thanks for answering, but this is quite not what I am looking for. I already have this up and running in my ISE lab. What the customer want to deploy Anyconnect and the compliance software from Group Policies so that users do not have to enter this webpage.There should be somehere on ISE to just download this .exe file directly, i guess i can just create the redirection policy on one switch and download it from there and maybe we can do deployment of this exe file, but the best would be an MSI file.

Since this customer is looking to use Posture with Dot1x on Wired we got the issue of having to create an IP interface on the vlan the users are connecting to in addition to the management interface. This is a lot of work and requires a lot of IP adresses and config on alle switches just so the users can reach this portal only to download some software we easily could distribute elsewhere. It is easier on WLAN where you do not have this problem.

I tried to just install the two MSI files on the computer, the same I uploaded to ISE and created an XML file with ISE Posture Profile Editor and put it in this path: c:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility Client\ISE Posture\ISEPostureCFG.xml

But this did not work. Anyconnect does not recognize the settings and i had to download the package from the CPP portal to get it working. Any other better way to distribute the install files without using the CPP portal?

You've deployed the module and the configuration correctly, install MSI file and place ISEPostureCFG.xml in the appropriate folder.

Until ISE 2.2, the posture module relies on web redirection to find the PSN, so you would have to configure the switches to support CWA, including the redirect ACL and the DACL to allow tcp/8443, tcp/8905 and udp/8905 towards all the PSNs that will handle posture.

hslai
Cisco Employee
Cisco Employee

Adding to Charles and Viktor...

First of all, regardless deploying via web or not, ISE client provisioning policy needs to configure properly to match the endpoint sessions.

Secondly, the AnyConnect ISE posture profile ideally to include:

in ISE 2.1 or prior, the parameter Discovery Host, which is the target the ISE posture module perform HTTP request on 80/TCP and triggered web redirection in order to discover ISE PSN to exchange posture compliance info. This is needed for remote access VPN.

ISE 2.2 has a new parameter Call Home List and each entity may either be an FQDN and default to use 8905/TCP or FQDN:<cpp-port-number>.

There is still an option for discovery host in the client profile. Whats should this be if you have over 5 psns? I understand you can have many ips in call home list

You want to put in a discovery host that is going to trigger redirection. Redirection and the RADIUS session tells you which of the PSNs to reach out to. Please check this and see if it answers your question. If not please open a new thread
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Jason,

 

Is it possible to distribute the software and posture profile outside of using the CPP or redirection? I know we don't have to use redirection after 2.2 but I have yet to see anyone document that this works without using the CPP. I have a client that wants to distribute the software and profile independantly so his users never have to manually go to the CPP portal or be redirected for download of the profile. If this works where do you put the file and are there any restrictions on how you make it (profile editor vs. in ISE?)

 

Thanks,

 

Mark