Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
3
Replies

Rollout ISE Posture challenge

Freemen
Level 1
Level 1

‎12-17-2019 08:29 PM

Hi all,

 

if customer have no SCCM, to push the anyconnect core, posture etc to the client and the method they use is via another software management engine, which seam like not reliable. 

 

anyway to deploy the 1k endpoint with posture without interruption?

 

scenario: Wired/ Wireless endpoint, GPO pushed, Client connected to network but no anyconnect agent, stuck at posture redirect.

0 Helpful
3 Replies 3

agrissimanis
Level 1
Level 1

‎12-18-2019 03:55 AM

To start, make sure that the redirect ACLs are correct on your switches and wireless controllers, so that the endpoints that do have Anyconnect successfully predeployed can discover and connect to ISE PSNs.

For these endpoints that do not have Anyconnect predeployed in advance, user needs to open a browser and attempt to open any HTTP website. This should trigger a redirect in browser to the client provisional portal from where the user can download and install Anyconnect client (admin rights are likely needed for this). Anyconnect will not automatically install by itself, even if the endpoint is under posture-redirect ACL. That first time install needs user intervention. Future updates to AC or posture module can be automatic without the need for user to do anything.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to agrissimanis

‎12-18-2019 08:58 AM

@agrissimanis wrote:

To start, make sure that the redirect ACLs are correct on your switches and wireless controllers, so that the endpoints that do have Anyconnect successfully predeployed can discover and connect to ISE PSNs.

For these endpoints that do not have Anyconnect predeployed in advance, user needs to open a browser and attempt to open any HTTP website. This should trigger a redirect in browser to the client provisional portal from where the user can download and install Anyconnect client (admin rights are likely needed for this). Anyconnect will not automatically install by itself, even if the endpoint is under posture-redirect ACL. That first time install needs user intervention. Future updates to AC or posture module can be automatic without the need for user to do anything.

A couple recommendations here. I wouldn't recommend redirecting or blocking all traffic at the general redirect stage for non-compliant or unknown status. You can block access to highly secure items but allow access to internet and maybe basic employee services if you like so the user is not completely blocked. When they try to access critical secure internal resources you can also redirect on those. This would prevent issues with apps being blocked and throwing weird errors confusing and annoying the users (think outlook). I would recommend pre-installing so that the agents are ready to go with proper XML file. If a client doesn't have it you can redirect users to use enroll.cisco.com to posture as part of general on-boarding requirements.

 

0 Helpful

Timothy Abbott
Cisco Employee
Cisco Employee

‎12-18-2019 08:27 AM

If you can't use a software deployment solution such as SCCM or other than you could always use ISE as the deployment mechanism. You will just need to ensure that your network access devices are capable of assisting in the deployment.

Regards,
-Tim
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents