Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1853
Views
6
Helpful
3
Replies

ISE Posture mandatory initial URL redirect

Go to solution
jbenitol
Cisco Employee
Cisco Employee

‎08-02-2017 01:18 AM

Hi Team,

We are working with a customer on a very large project for Posture validation checks with ISE 2.2, AnyConnect 4.4.X and Compliance Module 3.6.X and would very much appreciate your thoughts on an issue they are seeing.

They do not want to use ISE for the deployment of AnyConnect and want to avoid as much burden for the user as possible.

For the initial testing they tried doing a manual install of the client and .xml config file to the endpoint. And found that AC would not speak to ISE (although ISE server name is correct in the cfg file) until the endpoint is URL-redirected to ISE at least one first time. After that there is no need for URL redirect in the ISE policy anymore.

Is there a way we can avoid that first URL-Redirect? Are we maybe missing something with the manual install like an initial negotiation/id_exchange/other?

Thanks for your help.

--

Ignacio

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to stefano.marzi

‎08-02-2017 07:04 AM

That trick will only work if set to specific PSN or PSNs that may be RADIUS session owner.

With ISE 2.2 you no longer require URL redirection to trigger posture to ensure client hit the correct PSN that owns the RADIUS session.   ISE 2.2 also adds option to deploy AC directly from a portal without redirection.

/Craig

View solution in original post

3 Replies 3

Go to solution
stefano.marzi
Level 1
Level 1

‎08-02-2017 06:17 AM

Hi Ignacio,

you need to copy this file,  ConnectionData.xml into:

C:\Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\ISE posture

Edit the xml  file  and instert he ISE URL:

t

ConnectionData.xml

<?xml version="1.0" ?>

<records>

    <record>

        <primary>postureportal.ise.YOUR-ISE.com</primary>

        <port>8999</port>

        <status_path>/auth/status</status_path>

        <ng-discovery>/auth/ng-discovery</ng-discovery>

        <time>1495024640</time>

        <backups>

            <backup>SECONDARY-ISE.com</backup>

        </backups>

    </record>

</records>

With this one, anyconnect can go straight to postureportal.

Remember that th URL redirect sometimes is banned from Firewalls along the way between the client with AC , the first L2 switch that intercept the URL redirect and ISE.

Stefano

Go to solution
Craig Hyps
Level 10
Level 10
In response to stefano.marzi

‎08-02-2017 07:04 AM

That trick will only work if set to specific PSN or PSNs that may be RADIUS session owner.

With ISE 2.2 you no longer require URL redirection to trigger posture to ensure client hit the correct PSN that owns the RADIUS session.   ISE 2.2 also adds option to deploy AC directly from a portal without redirection.

/Craig

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-02-2017 02:05 PM

Adding to Craig's, the AnyConnect Profile Editor for ISE Posture module, release 4.4+, has the option to define "Call Home List".

You might also want to take a look at

AnyConnect 4.4 ISE Posture Profile Editor

ISE posture style comparison for pre and post 2.2 - Cisco

Screen Shot 2017-08-02 at 1.58.55 PM.png

Customers Also Viewed These Support Documents