cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1560
Views
5
Helpful
2
Replies

Unable to get ISE 2.3 posture working

cmlozano8
Level 1
Level 1

Hi All,

 

I am having issues getting posture to run on a new ISE 2.3 installation.  It is currently joined to AD and authentication works the issue is I am unable to get the posture to run.  I have been working with TAC and looked at multiple resources and it appears that as soon as the Client provisioning policy is configured the module automatically gets pushed to the client, this doesn't happen in my case, it just hits the posture unknown rule but there is no assessment.  Once question I did have was concerning the version numbers, I currently have client version 4.6 on the ASA and ISE with compliance module 4.2.  I have seen examples with client version 4.2.  Does the client have to match the module version or does that matter?  I am currently attempting to upgrade this to version 2.4 to see if that fixes it.

 

Chris

1 Accepted Solution

Accepted Solutions

I was able to solve this with TAC. The reason the URL redirect wasn't working was that the ASA was dropping the packet between the ISE and VPN Client due to matching asymmetric NAT rules inbound vs outbound. There was a specific (Inside,outside) rule as well as an redundant (any,outside) rule. After removing the (any,outside) rule problem was solved.

View solution in original post

2 Replies 2

cmlozano8
Level 1
Level 1

Ok, so I was able to get posture working but I had to manually go to the client provisioning portal via the test url (no automatic redirect) once I did that posture started working and my compliant authorization policy appears to work.  Now I need to know why the automatic redirection doesn't work but I am confused by the process.

 

1.  If users already have anyconnect, but no posture module and they connect should it pop up a web page for them to download the anyconnect compliance module?

 

2.  If users don't have anyconnect and instead try to vpn in via webvpn should it pop up a web page for them to download the anyconect compliance module?

 

3.  What is the purpose of the Redirect ACL VS. the DACL on the posture unknown authorization policy?  They appears to be opposites and the DACL is being downloaded, once connected (even if posture unknown) I am able to manually bring up the client provisioning portal.  Do my acls look correct?  Do I acutally need the redirect?

 

ASA:

 

access-list ISE_Redirect extended deny udp any eq bootpc any eq bootps
access-list ISE_Redirect extended deny udp any any eq domain
access-list ISE_Redirect extended deny udp any host 192.168.110.252 eq 8905
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8905
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8909
access-list ISE_Redirect extended deny udp any host 192.168.110.252 eq 8909
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8443
access-list ISE_Redirect extended permit ip any any

 

ISE:

 

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host 192.168.110.252 eq 8905
permit tcp any host 192.168.110.252 eq 8905
permit tcp any host 192.168.110.252 eq 8909
permit udp any host 192.168.110.252 eq 8909
permit tcp any host 192.168.110.252 eq 8443
deny ip any any

 

 

I was able to solve this with TAC. The reason the URL redirect wasn't working was that the ASA was dropping the packet between the ISE and VPN Client due to matching asymmetric NAT rules inbound vs outbound. There was a specific (Inside,outside) rule as well as an redundant (any,outside) rule. After removing the (any,outside) rule problem was solved.