Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4662
Views
15
Helpful
8
Replies

ISE posture setup

Go to solution
bhartsfield
Level 1
Level 1

‎08-27-2021 04:39 PM - last edited on ‎03-09-2022 10:55 PM by Community Manager

I am having issues getting ISE posturing to work.  Had issues with the client and tried to set it up in the lab and still can't get it to work right.  

Using an older windows 7 laptop with Anyconnect and the ISE posture module installed (4.10).  Switch is a 9300 with basically the template from ise-support.com for denali+.  ISE server is setup from cisco videos where I have an initial policy for "unknown posture" doing a ISE posture redirect and then my other rules (which work without posturing) looking at user is in a certain group and put them in this VLAN I added posture compliant to the rule.  I do have a basic posture policy setup just looking for windows firewall is enabled.  

 

What I see when I connect is the windows laptop goes to "trying to authenticate".  Switch very quickly shows dot1x succeeded on access-session but shows nothing at this time on the redirect.  Posture anyconnect module kicks in and says searching for policy server.   Nothing changes on either side.  Eventually posture module switches back to "cannot find policy server" and windows shows "Authentication Failed".  At this point the switch access-session starts showing the redirect.  

On the logs on the ISE server I do initially see the 802.1X success message with posture "unknown" and then a series of failures saying did not receive all the radius information expected.  

I think my issue is getting the posture module to talk to ISE and download the posture policy on a new setup when it hasn't talked to the policy server previously.  

Any ideas?  What is the best way to get a new install to connect to ISE from the anyconnect module and get the posture policy?  I thought that is what the redirect was supposed to do but that doesn't seem to be sent (according to the switch) until after the posture module has stopped searching.  

I know I'm missing something simple in this whole flow.  and yes this is using new-format switch configs with service policy.  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
albertofdez
Level 1
Level 1
In response to Mike.Cifelli

‎12-01-2021 05:11 AM

Hi Mike,

The problem was not that I did not understand the required flow, I had to open a case in the CT and I have it solved.

Thank you very much for your help.

Regards

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-28-2021 06:49 AM

Hi,

Do you have ISEPostureCFG.xml in the client machine at the path %program
data%\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\

If you are deploying a posture agent manually or using SCCM, for example,
the XML file should be created in ISE server, downloaded to your machine
and copied to your clients at this path. If you are using client
provisioning portal to install posture agent, then XML will downloaded to
clients part of posture agent installation.

Try this and if all required ports are allowed between clients and PSN,
discovery process will work.

**** please remember to rate useful posts
0 Helpful

Go to solution
bhartsfield
Level 1
Level 1
In response to Mohammed al Baqari

‎08-28-2021 07:29 PM

Appreciate your reply.  

So I think I was under the understanding that an "unknown posture" redirect would then direct the anyconnect posture client to download the ISE posture config.   Was that an incorrect assumption?  I don't want to mess with the portal since we are rolling this out to a large enterprise so in that case my best option is push the xml out with the posture module?

So, how do I get this  ISEPostureCFG.xml file?  I have configured all the anyconect profiles and all that in ISE but where do I go to download this config?

First time dealing with posturing so sorry for the what are probbaly easy questions.

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to bhartsfield

‎08-28-2021 09:59 PM

Hi,

You need to download AnyConnect Profile Editor from Cisco website. Once
installed, it will install AnyConnect Profile Editor - ISE Posture. From
there you can create the XML file. Then you push it to your clients.

***** please remember to rate useful posts
0 Helpful

Go to solution
albertofdez
Level 1
Level 1
In response to Mohammed al Baqari

‎08-30-2021 03:53 AM - edited ‎08-30-2021 03:54 AM

Hi Mohammed,

I have installed the ISE posture agent manually and I have the same problem.

I have also created a profile with the tool "ISE Posture Profile Editor" I have saved it with the name ISEPostureCFG.xml and I have saved it in the path %program data%\Cisco\Cisco AnyConnect Secure Mobility Client \ISE Posture\ but it does not work for me .

Seeing your answer I have created the Anyconnect Posture Profile in Cisco ISE, how can I download it to copy it to the path you indicate?

Thanks.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-29-2021 07:14 AM

As mentioned you do need that xml file which will contain settings that the module will use.   Adding an additional option besides the third party push @Mohammed al Baqari mentioned, which btw his way is 100% a legitimate option.  Another option, which I think you were alluding to, is the ability for ISE to push the file via CPP (client provisioning portal).  In order to accomplish this you will need to setup an AnyConnect Profile, create the ISEPostureCFG.xml using the editor mentioned, and upload the xml file in ISE.  Or you can simply create the posture config file in ISE too.  Then whichever way you choose, add the xml file inside your AnyConnect Config profile that then gets assigned as your result inside of your CPP policy.  Then when clients connect, sits in unknown state at first, it should get redirected to CPP, ISE should push down the profile to the respective client.  Lastly, the posture profile is added under the profile selection section inside the AnyConnect Config profile.  HTH!

Go to solution
albertofdez
Level 1
Level 1

‎08-30-2021 07:58 AM

Hi,

What I need is to install the posture module and the posture profile manually or using SCCM or a similar tool.

The Cisco ISE version is 3.0 with patch 3. I attach the ISEPostureCFG.xml file that I created with the ISE Posture Profile Editor.

I understand that if I use the manual process and install the module and the profile, no redirection or access to the portal or anything similar is necessary, right?

Thanks.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-31-2021 05:49 AM

Please take a peek at the following to better understand the workflow required: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

0 Helpful

Go to solution
albertofdez
Level 1
Level 1
In response to Mike.Cifelli

‎12-01-2021 05:11 AM

Hi Mike,

The problem was not that I did not understand the required flow, I had to open a case in the CT and I have it solved.

Thank you very much for your help.

Regards

 

0 Helpful
Customers Also Viewed These Support Documents