Solved: Dynamic Access Policy Selection changes after device posturing by ISE

Ryders · ‎02-13-2023

I have cisco ISE setup to posture endpoints that connect to our VPN. I setup a separate Dynamic Access Policy (DAP) and connection profile for testing this. Now that it is working, I want to move adjust our current users DAP & connection profile (we have one for all users) to allow posturing. When I make a change to the connection profile's authentication AAA server under the basic tab and switch it to ISE, my endpoint will posture, but once it does, it selects the default profile which terminates the connection. My question is why is a change in posture status causing a different DAP to be selected? From the logs it looks like after posturing the endpoint returns significantly less info.

ASA 5525-x on 9.14(4)15
ISE 2.7 patches 3,5,6,7
anyconnect 4.10.04065

Rob Ingram · ‎02-14-2023

@Ryders are you actually running ISE Posture and Hostscan at the sametime? That is not supported.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-posture.html

Use one or the other not both.

View solution in original post

Ryders · ‎02-14-2023

I found that after the first round of posturing is done, ISE (I think) sends back (or loses the extra info) way less info than the ASA initially collects after the Hostscan. I had an endpoint OS requirement that wasn't getting sent back after posturing compliant. I removed the requirement to test and it connected successfully. I would like to be able to deny connections based on the OS type and also hopefully an AD Group membership. It seems like I can send some info back to the ASA through the ISE authorization profile in the advanced attribute section. I will post again if I figure it out. If anyone has any advice on this I would greatly appreciate your input.

Right now the DAP requires a certain Tunnel Group and Group Policy. Both of which get returned when postured unknown and compliant.

Rob Ingram · ‎02-14-2023

@Ryders are you actually running ISE Posture and Hostscan at the sametime? That is not supported.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-posture.html

Use one or the other not both.

Ryders · ‎02-15-2023

We are running both hostscan and ISE and that was the issue. The host scan was only running once and ISE wasn't resending that info after the first posture check. I have the authorization policies checking requirements now instead of Dynamic Access Policies. Thank you for the advice Rob.