Solved: Re: Unable to get ISE 2.3 posture working

cmlozano8 · ‎04-16-2018

Hi All,

I am having issues getting posture to run on a new ISE 2.3 installation. It is currently joined to AD and authentication works the issue is I am unable to get the posture to run. I have been working with TAC and looked at multiple resources and it appears that as soon as the Client provisioning policy is configured the module automatically gets pushed to the client, this doesn't happen in my case, it just hits the posture unknown rule but there is no assessment. Once question I did have was concerning the version numbers, I currently have client version 4.6 on the ASA and ISE with compliance module 4.2. I have seen examples with client version 4.2. Does the client have to match the module version or does that matter? I am currently attempting to upgrade this to version 2.4 to see if that fixes it.

Chris

cmlozano8 · ‎04-25-2018

I was able to solve this with TAC. The reason the URL redirect wasn't working was that the ASA was dropping the packet between the ISE and VPN Client due to matching asymmetric NAT rules inbound vs outbound. There was a specific (Inside,outside) rule as well as an redundant (any,outside) rule. After removing the (any,outside) rule problem was solved.

View solution in original post

cmlozano8 · ‎04-18-2018

Ok, so I was able to get posture working but I had to manually go to the client provisioning portal via the test url (no automatic redirect) once I did that posture started working and my compliant authorization policy appears to work. Now I need to know why the automatic redirection doesn't work but I am confused by the process.

1. If users already have anyconnect, but no posture module and they connect should it pop up a web page for them to download the anyconnect compliance module?

2. If users don't have anyconnect and instead try to vpn in via webvpn should it pop up a web page for them to download the anyconect compliance module?

3. What is the purpose of the Redirect ACL VS. the DACL on the posture unknown authorization policy? They appears to be opposites and the DACL is being downloaded, once connected (even if posture unknown) I am able to manually bring up the client provisioning portal. Do my acls look correct? Do I acutally need the redirect?

ASA:

access-list ISE_Redirect extended deny udp any eq bootpc any eq bootps
access-list ISE_Redirect extended deny udp any any eq domain
access-list ISE_Redirect extended deny udp any host 192.168.110.252 eq 8905
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8905
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8909
access-list ISE_Redirect extended deny udp any host 192.168.110.252 eq 8909
access-list ISE_Redirect extended deny tcp any host 192.168.110.252 eq 8443
access-list ISE_Redirect extended permit ip any any

ISE:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host 192.168.110.252 eq 8905
permit tcp any host 192.168.110.252 eq 8905
permit tcp any host 192.168.110.252 eq 8909
permit udp any host 192.168.110.252 eq 8909
permit tcp any host 192.168.110.252 eq 8443
deny ip any any

cmlozano8 · ‎04-25-2018

I was able to solve this with TAC. The reason the URL redirect wasn't working was that the ASA was dropping the packet between the ISE and VPN Client due to matching asymmetric NAT rules inbound vs outbound. There was a specific (Inside,outside) rule as well as an redundant (any,outside) rule. After removing the (any,outside) rule problem was solved.