10-05-2018 08:18 AM
Hello,
I'm configuring ISE to perform posture over wired and VPN. Over wired the redirect is working (even if the browser doesn't load the page), but on VPN I'm not redirected to ISE. The client is still able to find the policy servers using the connectiondata.xml file (downloaded from ISE in automatic), but I think it might stop working in any moment.
This is the ACL on the ASA:
access-list redirect extended deny ip any host (AV)
access-list redirect extended permit ip any any eq 80
access-list redirect extended permit ip any any eq 443.
And on ISE I have this:
DACL = ACL-Posture-remediation
cisco-av-pair = url-redirect-acl=redirect
cisco-av-pair = url-redirect = https://ip:port/portal. ....... =cpp (client provisioning portal)
This is the same configuration I have for the switch.
Can someone assist, please?
Regards,
Albert
Solved! Go to Solution.
10-21-2018 03:17 AM - edited 10-21-2018 03:19 AM
Please ensure a valid DiscoveryHost configured in an ISE Posture profile and deployed it in ASA, because enroll.cisco.com and the default gateway often do not work for URL redirects for VPN use case. Below are some example configurations:
myASAv# more ISEPostureCFG.xml
<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISEPostureCFG_acprof353783742459450790.xml</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<RemediationTimer>4</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>myISE.demo.local:8443</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<NetworkTransitionDelay>3</NetworkTransitionDelay>
<PingArp>0</PingArp>
<PingMaxTimeout>1</PingMaxTimeout>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>10.1.100.10</DiscoveryHost>
<StealthMode>0</StealthMode>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<ServerNameRules>myISE.demo.local</ServerNameRules>
<PeriodicProbing>3</PeriodicProbing>
</cfg>
myASAv# show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value demo.local
webvpn
anyconnect modules value dart,iseposture
anyconnect profiles value ise-vpn-lab type user
anyconnect profiles value ISEPosture1 type iseposture
myASAv#
myASAv# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml
anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml
anyconnect enable
cache
disable
error-recovery disable
10-05-2018 08:21 PM - edited 10-08-2018 05:24 AM
Are you doing split tunneling? If you are doing split tunneling you probably aren't going to catch any of the posture module default calls. There will be no default gateway port 80 request and your split tunnel ACL probably doesn't include the IP for enroll.cisco.com. Add the IP for enroll.cisco.com to your split tunnel ACL and see if that helps.
10-07-2018 11:49 PM
10-08-2018 05:25 AM
10-08-2018 05:28 AM
10-08-2018 05:31 AM
10-17-2018 03:50 AM
Hi Paul,
Sorry for my delay.
Today I was able to check ASDM at the same time of an user logging in.
I can see that there is the redirection on ASDM but still there is no redirection.
On wired I see a webpage opening automatically, instead for VPN nothing.
Also this is causing issue because some users cannot find the policy servre over VPN
10-17-2018 04:55 AM
Hi Paul,
I think I'm about to find the issue.
When I check the logs on ISE I can see:
Not able to find PPD session for (MAC address)
and on Dart logs I see:
Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'
not sure what the issue is.
Just to describe you my deployment, I have two ISE in HA pair and I'm using these to authenticate, authorize and posture users over VPN and wired.
Do you see any issue with this?
10-17-2018 04:56 AM
Hi Paul,
I think I'm about to find the issue.
When I check the logs on ISE I can see:
Not able to find PPD session for (MAC address)
and on Dart logs I see:
Headend is empty. Possibly, content is not in the form 'X-ISE-PDP'
not sure what the issue is.
Just to describe what I have configured, I have two ISE in HA pair and I'm using these to authenticate, authorize and posture users over VPN and wired.
Do you see any issue with this?
10-08-2018 04:44 PM
Have you looked at some our configuration guides like ISE Design & Integration Guides > Cisco Adaptive Security Appliance (ASA):
10-21-2018 03:17 AM - edited 10-21-2018 03:19 AM
Please ensure a valid DiscoveryHost configured in an ISE Posture profile and deployed it in ASA, because enroll.cisco.com and the default gateway often do not work for URL redirects for VPN use case. Below are some example configurations:
myASAv# more ISEPostureCFG.xml
<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISEPostureCFG_acprof353783742459450790.xml</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<RemediationTimer>4</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>myISE.demo.local:8443</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<NetworkTransitionDelay>3</NetworkTransitionDelay>
<PingArp>0</PingArp>
<PingMaxTimeout>1</PingMaxTimeout>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>10.1.100.10</DiscoveryHost>
<StealthMode>0</StealthMode>
<EnableRescanButton>1</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<ServerNameRules>myISE.demo.local</ServerNameRules>
<PeriodicProbing>3</PeriodicProbing>
</cfg>
myASAv# show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.1.100.10
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value demo.local
webvpn
anyconnect modules value dart,iseposture
anyconnect profiles value ise-vpn-lab type user
anyconnect profiles value ISEPosture1 type iseposture
myASAv#
myASAv# show run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
anyconnect image disk0:/anyconnect-linux64-4.6.01103-webdeploy-k9.pkg 2 regex "Linux"
anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 3 regex "Intel Mac OS X"
anyconnect profiles ISEPosture1 disk0:/ISEPostureCFG.xml
anyconnect profiles ise-vpn-lab disk0:/ise-vpn-lab.xml
anyconnect enable
cache
disable
error-recovery disable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide