i've found a work around this

dirkmelvin · ‎04-18-2013

Due to management directive I am not able to disable SPLIT TUNNEL for our VPN users. For this reason, I can not figure out how to enforce the REDIRECT to ISE for forcing the VPN users to install the NAC AGENT.

Is this possible? If so can we get some documentation on how this is done? Screenshots would be great.

Thanks,

Dirk

harvisin · ‎05-08-2013

Hello,

I went through your query and found the link below which may help in solving your query:-

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml

dirkmelvin · ‎05-09-2013

I couldn't find the answer that I seek in that doc.

I am trying to see if I can force traffic to the redirect for installing the NAC agent, even on split tunnel traffic....perhaps forcing the first webpage the user opens forces the user to the redirect page if the NAC agent isn't detected.

Thanks,

Dirk

khaled alodat · ‎10-07-2015

Hi Dirk,

I have the same problem, it has been now two years since you post your problem.

have you managed to solve the problem.

im having the same issue when , i use split tunnel the application wont get downloaded even when my ISE is in the tunnel .

Appreciate your help .

Khaled

dirkmelvin · ‎10-07-2015

No, this has not been 'fixed' we still have to manually point users to the NAC install or just manually install NAC, it won't redirect for split tunnel users.

khaled alodat · ‎03-15-2016

i've found a work around this problem , the possible way will be to configure DNS entry for enroll.cisco.com pointing to some real/dummy IP behind ASA, so the probe will be sent there and ASA will intercept it

dirkmelvin · ‎03-15-2016

Working with Cisco, I did discover that at least on the latest version of NAC Agent it attempts a DUMMY check to 1.1.1.1, to try to kick itself into action. So we had allow 1.1.1.1 across the VPN tunnel so that NAC would actually pop up and check in to the actual defined discovery host on the inside of our network.

Where do you see this enroll.cisco.com being used?

For the redirect to the ISE portal for those that don't have NAC agent, we were able to figure that out, by what we are allowing across the VPN tunnel....using the documentation for enabling the ASA to do CoA without the IPN, the access list in that document solved the redirect, but only if the user tries to access an internal webserver on port 80.

khaled alodat · ‎03-15-2016

I Captured the traffic using wireshark and i noticed that the anyconnect agent is trying to get to enroll.cisco.com. so i added it to host file on windows to point to an ip address (within the split tunnel range) and it work. the workaround was to push a new host file with the enroll entry to each an every machine using GP server. and it work fine now.

for the redirect is the same if your DNS server can resolve the request , the firewall will detect the traffic and redirect it to ISE . make sure that all dns request are going through the VPN bu using the command :

split-tunnel-all-dns enable . its supported only on ssl vpn and ikev2 ( not 1).

maguiluzfr · ‎03-04-2016

I had a similar problem with the AnyConnect ISE Posture Module. The redirection was configured properly, but the client PC was not able to download the posture rules and software from the ISE server.

I fixed adding the ip host 72.163.1.80 to the split tunnel ACL. Making tests I found out AnyConnect ISE posture module was sending the http probes to that address. Which corresponds to a dummy name: mus.cisco.com. That fictitious host URL is used by cisco on some of their products.

In my case. adding that address, solved my problem.

Hope it helps.

Miguel.

ISE redirect to install NAC Agent for Anyconnect users with Split Tunnel?