Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
3
Replies

posture module http probe

williamtan
Level 1
Level 1

‎11-27-2019 10:57 PM

Hi,

 

After i go through the document ISE Posture Style Comparison for Pre and Post 2.2, I'm having some question about the step 20 regarding the posture module as shown below.

 

Step 20. At this stage Anyconnect Posture Module initiates policy server detection. This is accomplished with series or probes that are sent at the same time by Posture module:

  • Probe 1 - HTTP get /auth/discovery to default gateway IP. You should remember that MAC OS devices does not have default gateway on VPN adapter. Expected result for the probe is redirect-url.

  • Probe 2 - HTTP GET /auth/discovery to enroll.cisco.com. This FQDN needs to be successfully resolvable by DNS server. In VPN scenario with split-tunnel, traffic to enroll.cisco.com has to be routed through the tunnel. Expected result for the probe is redirect-url.

  • Probe 3 - HTTP get /auth/discovery to discovery host. Discovery host value is returned from ISE during installation in AC posture profile. Expected result for the probe is redirect-url.

  • Probe 4 - HTTP GET /auth/status over SSL on port 8905 to previously connected PSN. This request contains information about client IPs and MACs list for session lookup on ISE side. This proble is not presneted during the first posture attempt. Connection is protected by ISE admin certificate. As a result of this probe ISE can return session ID back to the client if node where probe landed is the same node where user has been authenticated.

1. the first 3 probe is send through port 80?

2. what will happened if I added deny port 80 in the redirect rule?

3. what happened if some app is sending port 80 faster than the posture probe? Does ISE will reply that traffic?

 

0 Helpful
3 Replies 3

Colby LeMaire
VIP Alumni
VIP Alumni

‎11-28-2019 08:53 AM

The whole point of the probes is to trigger redirection.  So we actually want to deny TCP/80 in a redirect ACL on a switch so that it triggers redirection to the ISE PSN.  If another App is also attempting to connect to anything on TCP/80, it will also be redirected.  Just the same as if you opened a browser on that machine and attempted to browse anywhere.  You would be redirected to the Client Provisioning Portal.

0 Helpful

williamtan
Level 1
Level 1
In response to Colby LeMaire

‎11-28-2019 06:28 PM

Hi Colby.LeMaire,

 

If another App is redirected to ISE and ISE reply with CPP, did posture module still getting the CPP from ISE? Or all App included posture module will used the same session of CPP?

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni
In response to williamtan

‎11-28-2019 07:37 PM

If it is another app such as a browser, it will just get the Client Provisioning Portal.  The session information is included in the redirect URL and is unique to each session.  All that happens with redirection is when you request something like www.google.com, the switch intercepts the request, spoofs the google.com IP address, and replies with an HTTP 302 (Page Moved) response that includes the redirect URL from ISE/switch.  So anything attempting to communicate on TCP/80 would receive the same response.  That's normal operation.

0 Helpful
Customers Also Viewed These Support Documents