11-27-2019 10:57 PM
Hi,
After i go through the document ISE Posture Style Comparison for Pre and Post 2.2, I'm having some question about the step 20 regarding the posture module as shown below.
Step 20. At this stage Anyconnect Posture Module initiates policy server detection. This is accomplished with series or probes that are sent at the same time by Posture module:
1. the first 3 probe is send through port 80?
2. what will happened if I added deny port 80 in the redirect rule?
3. what happened if some app is sending port 80 faster than the posture probe? Does ISE will reply that traffic?
11-28-2019 08:53 AM
The whole point of the probes is to trigger redirection. So we actually want to deny TCP/80 in a redirect ACL on a switch so that it triggers redirection to the ISE PSN. If another App is also attempting to connect to anything on TCP/80, it will also be redirected. Just the same as if you opened a browser on that machine and attempted to browse anywhere. You would be redirected to the Client Provisioning Portal.
11-28-2019 06:28 PM
Hi Colby.LeMaire,
If another App is redirected to ISE and ISE reply with CPP, did posture module still getting the CPP from ISE? Or all App included posture module will used the same session of CPP?
11-28-2019 07:37 PM
If it is another app such as a browser, it will just get the Client Provisioning Portal. The session information is included in the redirect URL and is unique to each session. All that happens with redirection is when you request something like www.google.com, the switch intercepts the request, spoofs the google.com IP address, and replies with an HTTP 302 (Page Moved) response that includes the redirect URL from ISE/switch. So anything attempting to communicate on TCP/80 would receive the same response. That's normal operation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide