cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6761
Views
2
Helpful
5
Replies
khalid_mahmood
Enthusiast

Cisco AnyConnect VPN Trusted Network detection does not work with ISE Posture on the LAN

Hi,

We have a Cisco ASA5585 with AnyConnect SSL VPN configured, with Always On and Trusted Network Detection (*UKDOMAIN & defined certificate servers). The VPN client works fine, but when you connect a LAN cable in the VPN client should recognise it's on a trusted network and drop the VPN, however I can see that the Posture module starts the discovery process which seems to interfere with Trusted Network Detection.   We have 802.1x on the LAN with posture The issue being that Posture does not work unitl I manually disconnect the VPN.

Help am I missing a trick? I can't find any decent documentation which covers a situation where you have:-

1. 802.1x on the LAN with posture

2. VPN with Always on and TND working with osture

3. Moving a laptop from LAN to VPN works, but VPN to LAN the TND feature fails

Looking at the DART bundle it looks like switch on the LAN with the 802.1x config to support Posture, i..e "IP HTTP Server", is being seen by Anyconnect VPN client as being a captive portal .

If I connect the laptop from VPN to a switch with no 802.1x and no Posture configured (no ip http server) than TND works well.

How do I do posture on the LAN with VPN TND feature?

Regards Khalid

1 ACCEPTED SOLUTION

Accepted Solutions

Hello -  Glad to hear you solved the issue

Just out of curiosity,  the change you made - was it in the profile 'Trusted Servers'

View solution in original post

5 REPLIES 5
hslai
Cisco Employee

It seems the TND not properly configured. Please review Use Trusted Network Detection to Connect and Disconnect

Moving this to AnyConnect in case you need further help on this.

pcarco
Cisco Employee

Please send the DART to ac-mobile-feedback@cisco.com  Attn:  Paul Carco and I will take a look

Paul

AnyConnect TME

Thanks Paul for offer, we changed the trusted certificate servers to the ISE nodes and this resolved the issue. Not sure why

Hello -  Glad to hear you solved the issue

Just out of curiosity,  the change you made - was it in the profile 'Trusted Servers'

View solution in original post

Hi Paul, yes it was the trusted servers.

Content for Community-Ad