Solved: Re: ISE 2.2 or 2.3 Posture configuration

khalid_mahmood · ‎09-19-2017

Hi, looking for configuration example for ISE Posture using the new enhanced Posture discovery method available in ISE 2.2 and above.

We recently upgraded from ISE 2.1 to 2.3 - we still have the old method of posture using redirection configured, but now want to move to the new method without using redirection.

Looking for a good Lab guide or example configuration document, the only one I've seen is this comparison https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

The Communities Posture section has no up to date examples or guides.

Thanks Khalid

Craig Hyps · ‎09-19-2017

See Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Provisioning [Cisco Identity Service…

The primary difference is that we leverage a secondary Discovery stage to connect to ANY PSN. On the backend the PSN will perform lookup to MnT and redirect authenticated client to their RADIUS PSN to complete posture process. In general, URL redirection is the fastest discovery method. If require support for NADs that do not offer URL redirection, or hitting issues with URL redirection, then newer capability can server to augment or replace traditional redirect support.

The key value to be configured under newer discovery is the Call Home List (listed in above admin guide). The FQDN enroll.cisco.com is a fallback to the Call Home List and is optional.

For Client Provisioning without redirection, you will need to configure the Posture Provisioning Portal similar to a MyDevices portal. You define ID auth sequence and portal FQDN to which user must manually navigate to (or linked from another portal), and option to allow SSO based on existing RADIUS session; otherwise user will enter login credentials per ID sequence.

Craig

View solution in original post

Craig Hyps · ‎09-19-2017

See Cisco Identity Services Engine Administrator Guide, Release 2.2 - Configure Client Provisioning [Cisco Identity Service…

The primary difference is that we leverage a secondary Discovery stage to connect to ANY PSN. On the backend the PSN will perform lookup to MnT and redirect authenticated client to their RADIUS PSN to complete posture process. In general, URL redirection is the fastest discovery method. If require support for NADs that do not offer URL redirection, or hitting issues with URL redirection, then newer capability can server to augment or replace traditional redirect support.

The key value to be configured under newer discovery is the Call Home List (listed in above admin guide). The FQDN enroll.cisco.com is a fallback to the Call Home List and is optional.

For Client Provisioning without redirection, you will need to configure the Posture Provisioning Portal similar to a MyDevices portal. You define ID auth sequence and portal FQDN to which user must manually navigate to (or linked from another portal), and option to allow SSO based on existing RADIUS session; otherwise user will enter login credentials per ID sequence.

Craig

ml12129 · ‎06-14-2018

Hello Craig,

Thanks for your explaintion, but I still have a question. First, our customer doesn't accept Redirect URL web, so I installed anyconnect in customer's computer and I followed the configuraion in "ISE Posture Style Comparison for Pre and Post 2.2 " this document, but the computer can't detect the policy server, then I put the ISEPostureCFG.xml to the proper folder, it does work. We can finish posture check. So, this setp, put the .xml is it necessery? Thank you very much.

Jason Kunst · ‎06-15-2018

Without redirect the agent initially won’t be able to find the server so you would need to push the xml to tell it who to talk to right?

Another option is to only redirect certain traffic. Example setup an internal resolvable site in dns that will trigger redirect and only redirect on that, users would initially go to that site and download agent, this would also be your discovery host on the xml

Otherwise you have to predeploy

Craig Hyps · ‎06-18-2018

If the AnyConnect profile was not configured to include the proper call home list and set as part of the AC provisioning package given to user, then you may need to push new one manually. If saying that the correct XML configured and pushed, but not provisioned into correct directory, and further that things worked only after manually moving file, then sounds like a case for TAC and potential defect.

Again, make sure you have set correct parameters in the AC profile and that is the profile being pushed to client to correct location during provisioning. May also want to uninstall AC first in case dealing with issues of past install.

ml12129 · ‎06-18-2018

Thank you!

andre.ortega · ‎08-06-2019

Hello there,

in case of a distributed deployment, should I create a profile for each site, with specific list of PSNs?

For example:

Site A = Profile A = Call home PSN1 and PSN2

Site B = Profile B = Call home PSN3 and PSN4

Or could I have only one profile with all PSNs on Call Home list (PSN1, PSN2, PSN3 and PSN4)?