12-03-2021 07:49 AM
Hi,
I have following configuration on cisco asa for remote access vpn and posturing on ise.
2 vpn profiles on cisco asa. profile1 without posturing and profile2 with posturing. client provisioning is configured on ise with anyconnect config profile. however, ise posture module provisioning is done on cisco asa (as i was getting issues for it via cisco ise)
Problem is with client provisioning, when user connects the vpn profile which has not enabled for posturing still client provisioning happens. Anyconnect vpn gets updated and posture and compliance modules gets donwloaded, sometimes dart and smb donwloads which are unnecessary.
On cisco asa : for vpn profile1 - ise as authorization, accounting server is not configured.
On ise : client provisioning policy configured such a way that asa ip with tunnel group of vpn profile 2 only will be client provisioned. Also, authorisation policy for vpn profile 2 only has compliance rules.
Dont understand why client provisioned for vpn profile 1? Need help
Solved! Go to Solution.
12-11-2021 01:46 PM
Posture module (and DART module) is downloaded because it is specified in the ASA group-policy. Use a GP for profile1 which has no module download settings.
Compliance module is downloaded either because CPP redirection is in effect or because the client remembers a previous connection data of the ISE as policy server. (ConnectionData.xml or ISEpostureCFG.xml on client)
12-03-2021 08:49 AM
Dont understand why client provisioned for vpn profile 1? Need help
-Sounds like you are steering both VPN tunnel group clients to ISE CPP. Do you have separate authz profiles for each one? That may help fix your issue. Also, double check your CPP conditions and work towards keeping the two tunnel groups separate.
12-06-2021 01:13 AM
Hi,
Actually both vpn profiles have separate policy sets filtered based on the tunnel groups.
Also, cpp is only for vpn profile 2 that is also filtered with tunnel group.
12-09-2021 08:00 PM
Are you following any guides?
How To Configure Posture with AnyConnect Compliance Module and ISE 2.x
12-11-2021 01:46 PM
Posture module (and DART module) is downloaded because it is specified in the ASA group-policy. Use a GP for profile1 which has no module download settings.
Compliance module is downloaded either because CPP redirection is in effect or because the client remembers a previous connection data of the ISE as policy server. (ConnectionData.xml or ISEpostureCFG.xml on client)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: