Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1248
Views
0
Helpful
11
Replies

Question about working ISE Postured endpoint configuration files (VPN)

ArielAR
Level 1
Level 1

‎07-23-2025 09:08 AM

Thank you in advance for your responses on the following questions. 

Q1.  In a working ISE Posture configuration, in the endpoint (client) side, what are the expected configuration files that we should see from within the client system?  What are the extra configuration files added to the client system?

Q2.  Where are these files supposed to be located within the Cisco install folder, and possibly outside of it (e.g. user profile?)

Q3. Would these configuration files (used for ISE Posture) behave well if we should copy them on another client system with the expectation to behave and work seamlessly on the latter?

Q4.  For the compliance, does it monitor the client system on connect and while it is connected to ensure that it stays compliant?  Also, is there a specific configuration file in the client side that is associated to this monitoring?

Thanks so very much again for any information - anything for sure will help us a lot to more understand its mechanics.

Ariel

Labels:
0 Helpful
11 Replies 11

Rob Ingram
VIP
VIP

‎07-23-2025 09:29 AM

@ArielAR it depends on which method you use, redirection or redirectless. If using redirectless that does requires posture files on the local computer, these can be pre-deployed - copy the posture profile xml to the these folder locations:

  • Windows: %ProgramData%\Cisco\Cisco Secure Client\ISE Posture
  • MacOS: /opt/cisco/secureclient/iseposture/

Refer to this guide (implies to VPN, wired or wireless) - https://www.cisco.com/c/en/us/support/docs/security/policy-access-management/220394-implementing-ise-redirectionless-posture.html

The posture files can be copied between computers, as they'd have the same settings.

You can configure posture reassessment - "The client agent periodically sends the PRA requests based on the interval specified in the configuration. The client remains in the compliant state if the PRA succeeds, or the action configured in the PRA configuration is to continue. If the client fails to meet PRA, then the client is moved from the compliant state to the noncompliant state."

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_compliance.html#concept_A9C0E9F58A4A4FECBC9C5BB362F9B403

 

0 Helpful

ArielAR
Level 1
Level 1
In response to Rob Ingram

‎07-23-2025 10:01 AM

Hi, Rob,

Thank you so very much for your response and the information that you have provided. 

But first, just to reconfirm, would it be correct to assume that specifically for ISE Posturing, there is just one (1) .xml file (posture.xml) that we can deploy to other client computers?  That everything it requires is all part of it?

The compliance check is done in the ISE server side upon connection and that while connected, the default interval is set in the Posture General Settings in ISE? That this settings will be global under the Posture section.

Would we need to check the box next to Enable port 8905 for this to take effect?

We are actually trying to make the posture redirection to work and it seems we are missing something in our configuration despite following the guide we have.  I am hoping that you would be able to provide me a link for the guide that I can use to make sure that all components that ISE Posturing needed are established in our environment.  Eventually, we may go redirectionless once we get the files that we needed for the endpoint side.

Thank you so very much again for sharing your expertise and knowledge on this.

ArielAR

 

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to ArielAR

‎07-23-2025 10:08 AM

@ArielAR save the profile as ISEPostureCFG.xml

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Settings > Posture > Reassessments.

If you are attempting to perform redirection,what issue are you facing? Is the ACL configured correctly?

Here are two example guides:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215236-ise-posture-over-anyconnect-remote-acces.html

https://integratingit.wordpress.com/2019/07/25/ftd-remote-access-vpn-with-posture/

 

0 Helpful

ArielAR
Level 1
Level 1
In response to Rob Ingram

‎07-23-2025 10:29 AM

Hi, Rob,
At this time we have not configured any re-assessment settings under the CISCO ISE GUI.
We believe that our ACL configuration is correct based on the guide we are following. We also had tested the redirection URL and the webpage seems to be reachable and working.
However, when our client system connects to VPN, although it can successfully connect with VPN, under the ISE posture panel below the Cisco AnyConnect Client app, it says “No policy server detected. Default network access is in effect.”
Would you be able to direct us on what components to reverify to make sure that all is in place and that we did not miss anything?
Very much appreciated – sending you a cup of an electronic hot coffee
0 Helpful

Rob Ingram
VIP
VIP
In response to ArielAR

‎07-23-2025 10:33 AM

@ArielAR so when the client has authenticated and in the posture unknown state, from the FTD type the command show vpn-session detail anyconnect. Has the DACL been applied? Enable debugs debug aaa radius - login to generate some debug output, then provide the output.

Can the client actually reach ISE to run the posture check? Check the firewall logs etc.

0 Helpful

ArielAR
Level 1
Level 1
In response to Rob Ingram

‎07-23-2025 10:37 AM

Will check these out too

0 Helpful

ArielAR
Level 1
Level 1
In response to Rob Ingram

‎07-23-2025 10:36 AM

The first link actually was one of the guides we used. Will review both.
Thanks so much again, Rob.

0 Helpful

MHM Cisco World
VIP
VIP

‎07-26-2025 02:56 AM

Can You ping from user to ISE' try ping and telent using tcp 8905 

MHM

0 Helpful

ArielAR
Level 1
Level 1
In response to MHM Cisco World

‎07-31-2025 08:33 AM

Again, apologies for the late reply.  We have been working diligently and we believe that we finally got the answer to the questions I raised at my initial post.  Thank you all for the insights and suggestions you have provided.  It is very much appreciated.  Our journey in the ISE Posture configuration continues in exploring the conditions and testing them as requirements for determining the compliance of a system that connects.

0 Helpful

jixof69881
Level 1
Level 1

‎07-26-2025 03:24 AM

This was a great deep-dive into ISE postured endpoint config files in a VPN environment—definitely not light reading, but super important. I appreciated how it clarified the flow of posture assessment and the role of client provisioning, especially when endpoints are moving across different network segments. It reminded me of how NV Casino manages its secure connections and user verification—if the endpoint (user) doesn’t meet specific trust criteria, access is limited. It’s all about layered control without slowing down the experience

0 Helpful

ciceli7543
Level 1
Level 1

‎07-26-2025 04:05 AM

This was a highly technical but valuable read—understanding how ISE postured endpoint configuration files behave in a VPN environment is crucial, especially when dealing with dynamic access control and compliance policies. I appreciated the clarity around how posture status changes once an endpoint transitions into the VPN tunnel and how profiling still depends on the client’s ability to talk back to the policy server. It kind of reminds me of how NV Casino ensures its user sessions stay secure and properly validated, even as users switch networks or devices

0 Helpful
Customers Also Viewed These Support Documents