cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19816
Views
36
Helpful
12
Replies

ISE posture on MAC OSX 10.11.5

Neelesh Marathe
Cisco Employee
Cisco Employee

Team,

I am working on ISE opportunity where I am doing ISE posture for VPN users. Posture for VPN users is working on windows workstations but it is not working on MAC machine. I am getting message "no policy server detected" I tried following on MAC to troubleshoot the issue but no luck

1. Disable Capital portal application with command

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -boolean false

2. Added host entry for captive.apple.com in /etc/host

3. Tried with Anyconnect 4.2 and 4.3

4. Modified Mtu to 1200 for VPN adapter

I am using

-ISE 2.0 patch 3

-Anyconnect 4.2 or 4.3

-Mac EI Capitan -10.11.5

I am attaching capture from MAC machine after connecting VPN. I can see DNS request and failure. I dont see any traffic to ISE or VPN gateway. I would appreciate If someone can analyze the capture and provide your inputs

VPN Pool: 10.40.134.44

DNS:172.17.9.25

Gateway: 10.40.134.1

Thanks,

Neelesh Marathe

1 Accepted Solution

Accepted Solutions

Hello Neelesh,

Please ensure that the ISEPostureCFG.xml profile is in  /opt/cisco/anyconnect/profile  directory.  If it is in there, please delete it and reconnect and let the profile be pushed again.   Please retest and let me know if it looks any different.

Best regards,

Paul

View solution in original post

12 Replies 12

pcarco
Cisco Employee
Cisco Employee

Can you also please run the AnyConnect DART and send the zip file over so we can look at it.

Best regards,

Paul

Hello Paul,

Please find attached dart bundle

Thanks,

Neelesh Marathe

Hello Neelesh,

Please ensure that the ISEPostureCFG.xml profile is in  /opt/cisco/anyconnect/profile  directory.  If it is in there, please delete it and reconnect and let the profile be pushed again.   Please retest and let me know if it looks any different.

Best regards,

Paul

Hello Paul,

Thanks for your response. Sure. I will check it on Monday as Laptop is with customer.

I have questions-

1.Did you mean that when we install anyconnect ISE posture module on mac, ISEpostureCFG.xml is created by default? Because we are trying it first time on this laptop and posture discovery never worked. Based on my knowledge, when agent discovers the ISE server, anyconnect downloader downloads posture profile and compliance module.

2. Will xml get saved in/opt/cisco/anyconnect/profile or/opt/cisco/anyconnect/ISE posture diretory? I checked last time in ISE posture diretory but there was no xml file

Thanks,

Neelesh Marathe

Hello Neelesh,

Yes, the ISEPostureCFG.xml needs to be in that directory and if deployed by the ASA or ISE should be there.

Some questions

1.) How was AnyConnect and the System Scan module installed on the MAC ?  Was is done with the dmg stand-alone installer or is Client Provisioning installing AC and System Scan?

2.) Did you create an AnyConnect Configuration file for the MAC's  ?

ISE-MACOSX-AC-Configuration.png

Hello Paul,

Now Posture assessment is working MAC machine. Issue got resolved after checking below option under AnyConnect Mobility Client settings. Customer is not using Split Tunneling and all traffic goes through secured tunnel.

Answers to your questions:

1. Anyconnect was installed through .dmg standalone installer

2. I have created client provisioning policies and Anyconnect Configuration file for MAC

Strange thing is that we are not checking this option in Windows machine, but still posture is working on Windows with same ASA and ISE setup. I am not sure if Anyconnect mobility client VPN flow differs in windows and MAC

Thanks,

Neelesh Marathe

Ok. good to hear.. although it doesn't make sense (to me) if Split-Tunneling/ Local Lan Access is not even configured.

I was asking about the profile because in the DART I saw this message 319 times

Aug  5 17:29:30 static-34 acise[6832]: Function: CFGUTIL Thread Id: 0xA4180000 File: ConfigData.cpp Line: 181 Level: warn :: ISEPostureCFG.xml not found, using defaults

Do the windows and mac users have the same AnyConnect Client profile (core vpn) and are they assigned to the same ASA group policy.   If you want me to take a look email me the ASA configuration as well as well as the vpn profile

ASDM:  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

Hello Paul,

Currently I am not using any VPN profiles. I am connecting VPN through IP address. I would love to share you the ASA config but customer is reluctant to share that. I even dont have direct access to ASA.

I am not yet finished with all the testing. I am going to try all the permutation and combination to find out exact root cause.

I am also suspecting issue with DNS server as I saw lot of DNS failures in capture and also observed intermittent connectivity issues with DNS.

I will update you with my findings and see If I can get ASA config.

Thanks,

Neelesh Marathe

Hello Paul,

After some more troubleshooting, found that posture starts working on MAC laptop when I add host entry for enroll.cisco.com. This is one of the steps in posture discovery.

I am attaching capture from MAC after adding host entry

VPN IP: 10.40.134.45

enroll cisco.com : 72.163.1.80

ISE IP : 10.17.76.120

In windows, posture discovery is working perfectly fine without adding any host entry or modifying any other settings.

Unfortunately I could not get ASA running configuration.

Any pointers?

Thanks,

Neelesh Marathe

This is happening to me as well.  Host file entry for enroll.cisco.com fixed it.  Issue is only with Mac.  Windows client is working fine.  Were you able to resolve this?

Hi Adam, I’m not sure if your problem is the same as Neelesh’s, but I just looked at the packet capture he included and it looks to me like his problem was he wasn’t allowing DNS in the pre-posture ACL. I am making that assumption because I see a lot of DNS queries but not replies. The endpoint has to be able to resolve something (i.e. enroll.cisco.com<http://enroll.cisco.com>) before it will attempt an http request and get redirected to ISE. This is especially true if it’s the first time and the endpoint hasn’t learned the IP address of a PSN yet.

Let me know if that makes sense.

George

I tried to allow DNS entry and it didnt work ...I had to manually edit the host entry as well