Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
1
Replies

Posture Audit: No Posture agent should allow full access without redirect

Go to solution
harrzhan
Cisco Employee
Cisco Employee

‎02-13-2018 04:46 PM

We have a use case with imaging PCs on user access switches. After re-imaging, PC initially does not have Ian SE agent. However, the Posture redirect ACL will put the port to redirect all the 80 and 443 traffic. We are in audit/monitor mode. Users should have full access even in this UNKNOWN and no agent state.

In a normal use case, We push the agent through SCCM.

Is there a way to identify a condition that the ISE agent is not present. We then can have a policy to bypass the redirect.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-14-2018 09:54 AM

As of ISE 2.2 we don’t require a redirection for anyconnect posture.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-748041

· AnyConnect client provisioning and posture discovery do not mandate CoA and URL redirection. The flow is seamless for on/off premises, third party NADs, and Cisco NADs. Without URL redirection, you can connect to the ISE PSN directly. This eliminates the need to depend on Cisco NADs to support redirection. It also ensures faster onboarding process without discovery.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010110.html#id_39755

You would configure the anyconnect profile when deployed via management tools to connect to a list of PSNs that would handle those agents.

This is the call home list, requires anyconnect 4.3 or higher

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#reference_288A1C28DF1549DB9CB171E085944379

Call Home List—Enter FQDNs that you want to use for load balancing, monitoring and troubleshooting lookup, or for DNS mapped to the default Policy Service Node (PSN) in that node (if in a multiple scenario). When this is configured, the first probe for monitoring and troubleshooting lookup is sent to call home. You must configure this while migrating from a redirection to a non-redirection network.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎02-14-2018 09:54 AM

As of ISE 2.2 we don’t require a redirection for anyconnect posture.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-748041

· AnyConnect client provisioning and posture discovery do not mandate CoA and URL redirection. The flow is seamless for on/off premises, third party NADs, and Cisco NADs. Without URL redirection, you can connect to the ISE PSN directly. This eliminates the need to depend on Cisco NADs to support redirection. It also ensures faster onboarding process without discovery.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010110.html#id_39755

You would configure the anyconnect profile when deployed via management tools to connect to a list of PSNs that would handle those agents.

This is the call home list, requires anyconnect 4.3 or higher

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#reference_288A1C28DF1549DB9CB171E085944379

Call Home List—Enter FQDNs that you want to use for load balancing, monitoring and troubleshooting lookup, or for DNS mapped to the default Policy Service Node (PSN) in that node (if in a multiple scenario). When this is configured, the first probe for monitoring and troubleshooting lookup is sent to call home. You must configure this while migrating from a redirection to a non-redirection network.

0 Helpful
Customers Also Viewed These Support Documents