09-19-2017 06:10 AM
Hi, looking for configuration example for ISE Posture using the new enhanced Posture discovery method available in ISE 2.2 and above.
We recently upgraded from ISE 2.1 to 2.3 - we still have the old method of posture using redirection configured, but now want to move to the new method without using redirection.
Looking for a good Lab guide or example configuration document, the only one I've seen is this comparison https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html
The Communities Posture section has no up to date examples or guides.
Thanks Khalid
Solved! Go to Solution.
09-19-2017 10:47 AM
The primary difference is that we leverage a secondary Discovery stage to connect to ANY PSN. On the backend the PSN will perform lookup to MnT and redirect authenticated client to their RADIUS PSN to complete posture process. In general, URL redirection is the fastest discovery method. If require support for NADs that do not offer URL redirection, or hitting issues with URL redirection, then newer capability can server to augment or replace traditional redirect support.
The key value to be configured under newer discovery is the Call Home List (listed in above admin guide). The FQDN enroll.cisco.com is a fallback to the Call Home List and is optional.
For Client Provisioning without redirection, you will need to configure the Posture Provisioning Portal similar to a MyDevices portal. You define ID auth sequence and portal FQDN to which user must manually navigate to (or linked from another portal), and option to allow SSO based on existing RADIUS session; otherwise user will enter login credentials per ID sequence.
Craig
09-19-2017 10:47 AM
The primary difference is that we leverage a secondary Discovery stage to connect to ANY PSN. On the backend the PSN will perform lookup to MnT and redirect authenticated client to their RADIUS PSN to complete posture process. In general, URL redirection is the fastest discovery method. If require support for NADs that do not offer URL redirection, or hitting issues with URL redirection, then newer capability can server to augment or replace traditional redirect support.
The key value to be configured under newer discovery is the Call Home List (listed in above admin guide). The FQDN enroll.cisco.com is a fallback to the Call Home List and is optional.
For Client Provisioning without redirection, you will need to configure the Posture Provisioning Portal similar to a MyDevices portal. You define ID auth sequence and portal FQDN to which user must manually navigate to (or linked from another portal), and option to allow SSO based on existing RADIUS session; otherwise user will enter login credentials per ID sequence.
Craig
06-14-2018 09:48 PM
Hello Craig,
Thanks for your explaintion, but I still have a question. First, our customer doesn't accept Redirect URL web, so I installed anyconnect in customer's computer and I followed the configuraion in "ISE Posture Style Comparison for Pre and Post 2.2 " this document, but the computer can't detect the policy server, then I put the ISEPostureCFG.xml to the proper folder, it does work. We can finish posture check. So, this setp, put the .xml is it necessery? Thank you very much.
06-15-2018 08:43 AM
Without redirect the agent initially won’t be able to find the server so you would need to push the xml to tell it who to talk to right?
Another option is to only redirect certain traffic. Example setup an internal resolvable site in dns that will trigger redirect and only redirect on that, users would initially go to that site and download agent, this would also be your discovery host on the xml
Otherwise you have to predeploy
06-18-2018 01:06 AM
If the AnyConnect profile was not configured to include the proper call home list and set as part of the AC provisioning package given to user, then you may need to push new one manually. If saying that the correct XML configured and pushed, but not provisioned into correct directory, and further that things worked only after manually moving file, then sounds like a case for TAC and potential defect.
Again, make sure you have set correct parameters in the AC profile and that is the profile being pushed to client to correct location during provisioning. May also want to uninstall AC first in case dealing with issues of past install.
06-18-2018 11:26 PM
Thank you!
08-06-2019 09:39 AM
Hello there,
in case of a distributed deployment, should I create a profile for each site, with specific list of PSNs?
For example:
Site A = Profile A = Call home PSN1 and PSN2
Site B = Profile B = Call home PSN3 and PSN4
Or could I have only one profile with all PSNs on Call Home list (PSN1, PSN2, PSN3 and PSN4)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide