Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8504
Views
5
Helpful
3
Replies

AnyConnect ISE Posture Bypass System Scan

Go to solution
CaoMinhThinh4782
Level 1
Level 1

‎11-28-2019 05:17 PM

Dear all,

 

I'm trying to install AnyConnect NAM and ISE posture, as well configure posture on ISE without Client Provisioning. I also generated profile using Profile Editor for both of NAM and posture module, then paste them to consisten folder AnyConnect NAM and ISE posture in ProgramData/Cisco.

 

The NAM operated normally, but after authorization complete, Posture module didn't scan the system for compliance, the status is Bypassing AnyConnect scan — Your network is configured to use the Cisco NAC agent.

 

Could anyone know the issue?

 

Thank you so much!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-29-2019 10:23 AM

The client provisioning and ISE posture policy go hand-in-hand. What you are seeing about Bypassing AnyConnect Scan is normal behavior based on how you described things. You need to setup a client provisioning policy with the proper AnyConnect profile. Under client provisioning resources you setup an AnyConnect profile that essentially configures the posture agent with its settings. Some things created here include discovery host which is the server that the agent should connect to (ISE PSN that will perform posture checks). Then you would configure your client prov policy along the lines of this:
If any ID Groups & Windows ALL AND <other conditions you wish to match on> THEN result equals AnyConnect Configuration
The AC configuration is also setup under Client Prov resources. This config specifies the AC package version, what compliance module to look for/use, and what ISE posture AC profile to use that I mentioned earlier. Check this out:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc14
Also, take a peek at labminutes.com/security for free video tutorials. Good luck & HTH!

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-29-2019 10:23 AM

The client provisioning and ISE posture policy go hand-in-hand. What you are seeing about Bypassing AnyConnect Scan is normal behavior based on how you described things. You need to setup a client provisioning policy with the proper AnyConnect profile. Under client provisioning resources you setup an AnyConnect profile that essentially configures the posture agent with its settings. Some things created here include discovery host which is the server that the agent should connect to (ISE PSN that will perform posture checks). Then you would configure your client prov policy along the lines of this:
If any ID Groups & Windows ALL AND <other conditions you wish to match on> THEN result equals AnyConnect Configuration
The AC configuration is also setup under Client Prov resources. This config specifies the AC package version, what compliance module to look for/use, and what ISE posture AC profile to use that I mentioned earlier. Check this out:
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html#anc14
Also, take a peek at labminutes.com/security for free video tutorials. Good luck & HTH!

Go to solution
CaoMinhThinh4782
Level 1
Level 1
In response to Mike.Cifelli

‎11-30-2019 12:32 AM

Thank so much, Mike!

As you mentioned, I also read w/ carefully the guide from cisco, and figured out that we need to configure client provisioning for AnyConnect profile, and I fixed the issue yesterday.

 

But, I'm facing the new issue that the anyconnect does not do remediation with the untrust server. My ISE PSN is using self-signed cert, I don't know how to make anyconnect accept untrust server? Could you give me any suggestions?

 

Btw, thank you for your response, Ot's quite useful to me!

 

Best regards,

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to CaoMinhThinh4782

‎11-30-2019 08:07 AM

But, I'm facing the new issue that the anyconnect does not do remediation with the untrust server. My ISE PSN is using self-signed cert, I don't know how to make anyconnect accept untrust server? Could you give me any suggestions?
Two options here:
1 - get a certificate that is trusted by your end clients. Ensure the chain is in the appropriate stores on your end devices.
2 - Use the ISE posture profile editor to allow end clients to connect to untrusted servers. See here: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html
HTH!
0 Helpful
Customers Also Viewed These Support Documents