cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1270
Views
0
Helpful
3
Replies
Contributor

anyconnect vpn client showing compliant, but not inISE

In my setup, I have ASA Version 9.6(4)8 & ISE 2.2 patch 8. When I try for VPN posturing, I see the below

 

  1. Client connect to the VPN
  2. Client goes thru the Auth ( i have created internal users for VPN)
  3. Client is moved to posture unknown state
  4. ISE pushes the ISEPostureCFG.xml to the client. 
  5. I have given any AV install check & any AV update check
  6. If my AV is not updated, I get the warning
  7. If there is no compliance module in the laptop, ISE pushes the posture module
  8. My windows client validates the posture conditions.
  9. anyconnect shows posture compliant
  10. However in ISE client is still stuck in the posture-compliant state & client keeps redirecting to the ISE if open a browser
  11. I am using anyconnect-4.5.04029
  12. I have enabled dynamic authorization in the ASA  & I can see "coa-push=true" in the Cisco AV  pair in ISE
  13. In the ASA, client is still seen with the REDIRECT ACL

How can I troubleshoot the issue

Thanks

Nikhil

Everyone's tags (1)
3 REPLIES 3
Highlighted
VIP Advisor

Re: anyconnect vpn client showing compliant, but not inISE

There is good example and step by step guides available here :

 

https://www.cisco.com/c/en/us/support/security/identity-services-engine-2-2/model.html#ConfigurationExamplesandTechNotes

 

May be you have already looked at them(if so ignore it)

 

There is good guide posture check with step by step logs to verify.

 

BB

BB
*** Rate All Helpful Responses ***
Participant

Re: anyconnect vpn client showing compliant, but not inISE

You say the Client is still stuck doing Posture in ISE, even after the Client passes the checks?

Does ISE receive a Posture Report from the Client? I would guess not - can you check your ACLs / FW rules to ensure you have all the ports and protocols things open?
Cisco Employee

Re: anyconnect vpn client showing compliant, but not inISE

Verify the endpoint is matching the proper authorization rule after CoA is sent to the ASA. It could be that the endpoint is matching a provisioning rule instead of a compliant rule. If not, I suggest opening a TAC case to troubleshoot further.

Regards,
-Tim