Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1630
Views
5
Helpful
4
Replies

Need urgent help on client provisioning

Go to solution
User_80617
Level 1
Level 1

‎12-03-2021 07:49 AM

Hi,

 

I have following configuration on cisco asa for remote access vpn and posturing on ise.

 

2 vpn profiles on cisco asa. profile1 without posturing and profile2 with posturing. client provisioning is configured on ise with anyconnect config profile. however, ise posture module provisioning is done on cisco asa (as i was getting issues for it via cisco ise)

 

Problem is with client provisioning, when user connects the vpn profile which has not enabled for posturing still client provisioning happens. Anyconnect vpn gets updated and posture and compliance modules gets donwloaded, sometimes dart and smb donwloads which are unnecessary.

 

On cisco asa : for vpn profile1 - ise as authorization, accounting server is not configured.

On ise : client provisioning policy configured such a way that asa ip with tunnel group of vpn profile 2 only will be client provisioned. Also, authorisation policy for vpn profile 2 only has compliance rules.

 

Dont understand why client provisioned for vpn profile 1? Need help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Koltl
Level 7
Level 7

‎12-11-2021 01:46 PM

Posture module (and DART module) is downloaded because it is specified in the ASA group-policy. Use a GP for profile1 which has no module download settings.

 

Compliance module is downloaded either because CPP redirection is in effect or because the client remembers a previous connection data of the ISE as policy server. (ConnectionData.xml or ISEpostureCFG.xml on client)

View solution in original post

4 Replies 4

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎12-03-2021 08:49 AM

Dont understand why client provisioned for vpn profile 1? Need help

-Sounds like you are steering both VPN tunnel group clients to ISE CPP.  Do you have separate authz profiles for each one?  That may help fix your issue.  Also, double check your CPP conditions and work towards keeping the two tunnel groups separate.

0 Helpful

Go to solution
User_80617
Level 1
Level 1
In response to Mike.Cifelli

‎12-06-2021 01:13 AM

Hi,

Actually both vpn profiles have separate policy sets filtered based on the tunnel groups.

Also, cpp is only for vpn profile 2 that is also filtered with tunnel group.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-09-2021 08:00 PM

Are you following any guides?

How To Configure Posture with AnyConnect Compliance Module and ISE 2.x

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎12-11-2021 01:46 PM

Posture module (and DART module) is downloaded because it is specified in the ASA group-policy. Use a GP for profile1 which has no module download settings.

 

Compliance module is downloaded either because CPP redirection is in effect or because the client remembers a previous connection data of the ISE as policy server. (ConnectionData.xml or ISEpostureCFG.xml on client)

Customers Also Viewed These Support Documents