Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2300
Views
0
Helpful
3
Replies

Anyconnect ISE Posture redirect

stamperbrian
Level 1
Level 1

‎01-18-2022 08:11 PM

I set out to test this and make it work but am stuck with the client never redirecting.

 

I followed this guide and searched high and low through a number of others as well as looking at ISE configurations on ASA for additional examples.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

 

I connect to the VPN just fine and authenticate.  I hit the right unknown posture authz policy.  I get the redirect ACL as well as the redirect url.  Once Connected I can ping ISE by IP and the name listed in the redirect URL, nslookup dns names, I can pull up ISE on port 8443.  And if I actually type the whole redirect URL the page pulls up and starts me through the process.  However, I can never get the redirect to actually happen by itself. I've tried both windows and mac clients and neither will redirect.  

On ISE:

Result
Class	CACS:4ba026e90003000061e78a1a:ISEv-01/429592496/118
cisco-av-pair	url-redirect-acl=anyconnectredirect
cisco-av-pair	url-redirect=https://ISEv-01.networkingtechnician.net:8443/portal/gateway?sessionId=4ba026e90003000061e78a1a&portal=e2b33062-b8d1-467b-b26f-8b022bba10e7&action=cpp&token=2f5f34a7c71d6e77bdc84e0bfc17e59d
cisco-av-pair	ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PostureUnkown-61e789c4
cisco-av-pair	profile-name=OS_X_BigSur-Workstation
LicenseTypes	Essential license consumed.

 

On the FTD:

Username     : brian.stamper          Index        : 48
Assigned IP  : 192.168.222.12         Public IP    : 174.242.224.193
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 97085                  Bytes Rx     : 441904
Pkts Tx      : 597                    Pkts Rx      : 5009
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy          Tunnel Group : Posture
Login Time   : 03:48:42 UTC Wed Jan 19 2022
Duration     : 0h:13m:03s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 4ba026e90003000061e78a1a
Security Grp : none                   Tunnel Zone  : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 48.1
  Public IP    : 174.242.224.193
  Encryption   : none                   Hashing      : none                   
  TCP Src Port : 10993                  TCP Dst Port : 443                    
  Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 16 Minutes             
  Client OS    : mac-intel              
  Client OS Ver: 11.6.0                 
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.10.00093
  Bytes Tx     : 1760                   Bytes Rx     : 0                      
  Pkts Tx      : 2                      Pkts Rx      : 0                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  
SSL-Tunnel:
  Tunnel ID    : 48.2
  Assigned IP  : 192.168.222.12         Public IP    : 174.242.224.193
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384                       
  Encapsulation: TLSv1.2                TCP Src Port : 11004                  
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 17 Minutes             
  Client OS    : Mac OS X               
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.10.00093
  Bytes Tx     : 6940                   Bytes Rx     : 3302                   
  Pkts Tx      : 35                     Pkts Rx      : 41                     
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PostureUnkown-61e789c4
  
DTLS-Tunnel:
  Tunnel ID    : 48.3
  Assigned IP  : 192.168.222.12         Public IP    : 174.242.224.193
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: DTLSv1.2               UDP Src Port : 10995                  
  UDP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes             
  Client OS    : Mac OS X               
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.10.00093
  Bytes Tx     : 88385                  Bytes Rx     : 438602                 
  Pkts Tx      : 560                    Pkts Rx      : 4968                   
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : #ACSACL#-IP-PostureUnkown-61e789c4
  
ISE Posture:
  Redirect URL : https://ISEv-01.networkingtechnician.net:8443/portal/gateway?sessionId=4ba026e90003000061e78a1a&portal...
  Redirect ACL : anyconnectredirect
Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎01-19-2022 12:09 AM

@stamperbrian what is the configuration of the redirect ACL? Are you redirecting on http or https?

If you take a packet capture on the client can you see the attempted communication to ISE?

If you manage the endpoints you can also pre-deploy the configuration with the ISE call home servers defined and not rely on redirect.

0 Helpful

stamperbrian
Level 1
Level 1
In response to Rob Ingram

‎01-19-2022 06:01 AM

I've tried the ACL redirect a couple different ways.  Right now its:

deny any ISE

deny any DNS

permit any any

 

I've tried it with permit any http as well but doesn't seem to make a difference.  

With the packet capture I have to wait till the VPN is established and use the Ethernet interface. If i use the physical wired/wireless interface all I see is the encrypted VPN traffic.  However, I never see any DNS lookups for my ise.  Lots of other normal DNS stuff.  

 

I just tested adding the call home server ISE PSN Ip in the Call Home LIst.  No Change there. I've also tried setting a discovery host but also not luck there.   I know my plumbing is good being I can get to the ISE server and even manually kick off things if I type in the whole redirect URL.  Same with DNS.

 

Being this is more or less just lab I own everything and could seed things but would like to figure out why this redirect isn't working if possible.  

0 Helpful

stamperbrian
Level 1
Level 1
In response to stamperbrian

‎01-19-2022 08:51 AM

In addition since this is in lab and I've done a lot with the FTD in use I built a new one, followed the FTD portion of the guide I put in the first post and again, same issue.  I hit the right ISE policy, get the redirect url.  On the client can ping ISE by name as listed in the redirect and by IP, nslookup for anything, but i never get redirected to the ISE portal.

0 Helpful
Customers Also Viewed These Support Documents