Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2156
Views
0
Helpful
7
Replies

Posture Profile not downloaded from Cisco ISE via Cisco ASA

Drthrax
Level 1
Level 1

‎03-10-2020 08:18 AM - edited ‎03-10-2020 08:19 AM

Hi ,
I am deploying ISE posture 2.6 using ( Modules = anyconnect vpn + ISE posture ) from vpn users via CISCO ASA 

, My only problem here is that I am obliged to install the PostureprofileCFG on the endpoint otherwise it will not work , I don't get how to let ISE install the profile directly on the endpoint .

If I don't install the profile manually on the device I always get no policy server
thanks

0 Helpful
7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-10-2020 08:38 AM

You can utilize the Client Provisioning Policies in ISE to accomplish the deployment of ISE posture profile upon VPN connection and endpoint provisioning. An example you can leverage as a condition is the tunnel group name to trigger the proper AnyConnect configuration. Under Policy->Policy elements->Results->Client Provisioning->Resources you can setup a AnyConnect profile where you add what modules should be downloaded and what profiles to use for the corresponding modules. Then reference the AC profile in Client Provisioning under results. HTH!
0 Helpful

Drthrax
Level 1
Level 1
In response to Mike.Cifelli

‎03-10-2020 08:58 AM

Hi , thank you for the reply ,
I actually built a profile and it is not working .
Here is the tricks i cant figure out :
There is something about redirection that I cant understand although i did use the acl.on the asa to redirect traffic .
I also read that in order for profile to get pushed from ise you need to connect to enroll.cisco
I already have anyconnect vpn and anyconnect ise posture on the PC but i only need when i connect to have the profile on ise pushed
Can you assist ?
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Drthrax

‎03-10-2020 09:32 AM

Hi,

 

    Yes, "enroll.cisco.com" is on of the steps to make sure AnyConnect somehow gets to ISE to download configuration; you need to make sure that "enroll.cisco.com" is resolvable (doesn't matter to what, as in the end traffic towards enroll.cisco.com will be redirected to ISE), and if you have split-tunnelling, the IP address into which it resolves, is routed through the tunnel. 

    Take a look at this document for guidance, it is excellent. If you get stuck, say where :)

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html?referring_site=RE&pos=2&page=https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-soft...

 

Regards,

Cristian Matei.

0 Helpful

Drthrax
Level 1
Level 1
In response to Cristian Matei

‎03-10-2020 11:46 AM

Hi Christian , 

thank you for your reply , 

I actually cant understand why an endpoint must contact enroll.cisco to get the policy , I mean how does enroll.cisco know about my ISE in the environment , the logical thing is that the endpoint will be redirected to ISE and everything should be done on ISE .I already am working on this project . I tried everything possible . I can't seem to get the profile and connect to policy server if i dont manually install the profile on the endpoint . I read all documents I just need someone who tried it ( module is anyconnect VPN + ISE posture on endpoint ) 
thanks !

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Drthrax

‎03-10-2020 09:33 AM

On the ASA in your AAA server group config make sure you have enabled dynamic authorization & authorization mode only under ISE policy enforcement. As far as redirect ACLs, build them out on the ASA, and reference the ACL name in your ISE authz profile. Make sure if using default CoA port (udp1700) that it is not blocked in your path.
0 Helpful

Drthrax
Level 1
Level 1
In response to Mike.Cifelli

‎03-10-2020 11:49 AM

Hi , 
thanks for the reply .
already done on ASA , But still if I dont install the profile manually , there is no chance for the endpoint to get the profile I created on ISE to be pushed to the client . I always seem to get " no policy server detected "

I read a lot about these topics but I cant seem to understand the point :

1- http get to cisco.enroll 

2- gateway on endpoint 

these are the methods for url-redirection it seems but I cant relate . 

any help ? 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Drthrax

‎03-10-2020 01:06 PM

Hi,

 

  I understand your frustration, but many things can go wrong in the setup. If you believe that everything is configured properly but redirect still does not happen (including the DNS resolution of enroll.cisco.com), configure a DiscoveryHost in your ISE Posture XML profile.

 

The reason i provided that document, is because it explains the process flow, so you translate that into requirements. Verify your settings with this guide as well:

 

https://community.cisco.com/t5/security-documents/how-to-configure-posture-with-anyconnect-compliance-module-and/ta-p/3647768

 

         As long as you sure the ISE/ASA config is good, do a wireshark capture on the end host, and also run DART on AnyConnect. This should provide more useful information. The scope of "gateway and enroll.cisco.com" is for the end host to generate some traffic and get redirected to ISE. 

 

 

Regards,

Cristian Matei.

 

 

0 Helpful
Customers Also Viewed These Support Documents