cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
2
Replies
Beginner

ISE Posture IE web redirect Win7/8 with Anyconnect already installed?

Having a problem where I have Windows 7 and Windows 8.1 clients connecting to the network via wireless, they already have Anyconnect 4.3.x installed with ISE posture checking for AV installed.  When the AuthZ rule for EAP Chaining sees posture status equal to unknown when a user logs in it immediately fires up IE and tries to do a web based ISE posture check.  But if you wait a little bit, Anyconnect runs and does an ISE posture check itself and completes.  And then of course a CoA happens and the status goes to compliant/permit access.  But that IE window for ISE posture is still sitting there.

Its driving my mock production group crazy.  Its like the web redirect doesn't know that Anyconnect is already on the box.

I spoke to TAC and they suggested this is a problem with IE and there is no ISE config to correct this problem.  Does anyone know the reg key to disable this behavior?

Also, my concern is that once this behavior is disabled in Windows 7 and Windows 8.1, those users then when connecting to guest networks managed by ISE will not see a web auth redirect.  However my Windows 10 users don't ever see the ISE posture web auth redirect, but they do see... as expected... a guest network web auth redirect.

Outside of here its been suggested that the windows 7/8.1 "HotspotAuthentication" reg key is the problem.  Setting this to zero does not resolve the issue.  Software\Policies\Microsoft\Windows\HotspotAuthentication Enabled=0

confusing.

Any help is greatly appreciated.
-e

As a side note I would love to be able to image all the files to the machine and not have to use client provisioning to fire off ISE posture, feature request.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

If remember well, 

If remember well, 

if your network change, windows made an NCSI test (Network Connectivity Status Indicator),

with a DNS and a http request. This test forced your browser to pop-up a window.

I think you have three choise:

- if the machines are managed by you

1, you cah switch off this feature. In this case you lost the windows internet detection feature

2, you can change the address pointed by default to http://www.msftncsi.com (several ip)  to a simple outside ip, and after you have an entry at the redirect ACL to allow traffic to this ip without redirect

If machines are outside of your control

3, you can build a complex redirect acl, witch will allows traffic to the ip resolved by www.msftncsi.com. I have a large collection from a crontabbed gethostbyname (attached) , it has 246 entry, but you can reduce it to 4-5 bigger subnet. I think it not a big risk to allow this traffic when redirect is active.

http://blog.superuser.com/2011/05/16/windows-7-network-awareness/

2 REPLIES 2
Beginner

If remember well, 

If remember well, 

if your network change, windows made an NCSI test (Network Connectivity Status Indicator),

with a DNS and a http request. This test forced your browser to pop-up a window.

I think you have three choise:

- if the machines are managed by you

1, you cah switch off this feature. In this case you lost the windows internet detection feature

2, you can change the address pointed by default to http://www.msftncsi.com (several ip)  to a simple outside ip, and after you have an entry at the redirect ACL to allow traffic to this ip without redirect

If machines are outside of your control

3, you can build a complex redirect acl, witch will allows traffic to the ip resolved by www.msftncsi.com. I have a large collection from a crontabbed gethostbyname (attached) , it has 246 entry, but you can reduce it to 4-5 bigger subnet. I think it not a big risk to allow this traffic when redirect is active.

http://blog.superuser.com/2011/05/16/windows-7-network-awareness/

Beginner

Well this has definitely done

Well this has definitely done the trick.  I used the registry key on a test system.

And interesting side problem that I assumed was part of it that has not gone away, it takes exactly a minute and thirty seconds to to log in between entering password and seeing the desktop.  Its exactly the same time every time, if I disable client provisioning it goes down to two to four seconds.

Is there a timer somewhere that needs to be shortened?

-e