Downloading the initial ISE Posture Profile

ChadH63728 · ‎07-21-2023

We currently have Anyconnect with the ISE Posture Module installed. We are using this to posture devices on our wired network before granting network access. Our computers already have the software installed but not the ISEPostureCFG.XML which has the call home list of our ISE servers. Is there a way to force the clients to download that profile when first connecting? Again this is for devices uses 802.1x on our internal wired network, not VPN. Thanks

Dustin Anderson · ‎07-21-2023

You should have an anyconnect config file you call, there you can set the posture config to use/download.

ChadH63728 · ‎07-21-2023

I did set this up but the policy doesn't download. The ISE Module just says no policy server detected. Then if I manually add the ISEPostureCFG.XML file it will then follow the config file rules (upgrade anyconnect version and update the profile)

I modified my example here. The real project I'm working on here is to allow a client to move from a network using one ISE server to another network with different ISE server. Without manually change the ISEPostureCFG.XML contiaining the different ISE call home servers the policy servers aren't detected.

Dustin Anderson · ‎07-21-2023

with the posture redirect that would trigger the install of AC or to force the check-in, but I'm not sure on not needing the config different for each.

Does each site have it's own DNS? where you could set up a similar name pointing to the respective servers?

ChadH63728 · ‎07-21-2023

Unfortunately it's the same DNS for both networks.

Dustin Anderson · ‎07-21-2023

can each site talk to the ise at the other? If they can't you should be able to list multiple posture servers and let AC talk to the one it can connect to.

ChadH63728 · ‎07-21-2023

Worth a try - thanks for the idea's.

Dustin Anderson · ‎07-21-2023

yeah, let me know, it's a different deployment and nothing I can test myself.