08-02-2017 01:18 AM
Hi Team,
We are working with a customer on a very large project for Posture validation checks with ISE 2.2, AnyConnect 4.4.X and Compliance Module 3.6.X and would very much appreciate your thoughts on an issue they are seeing.
They do not want to use ISE for the deployment of AnyConnect and want to avoid as much burden for the user as possible.
For the initial testing they tried doing a manual install of the client and .xml config file to the endpoint. And found that AC would not speak to ISE (although ISE server name is correct in the cfg file) until the endpoint is URL-redirected to ISE at least one first time. After that there is no need for URL redirect in the ISE policy anymore.
Is there a way we can avoid that first URL-Redirect? Are we maybe missing something with the manual install like an initial negotiation/id_exchange/other?
Thanks for your help.
--
Ignacio
Solved! Go to Solution.
08-02-2017 07:04 AM
That trick will only work if set to specific PSN or PSNs that may be RADIUS session owner.
With ISE 2.2 you no longer require URL redirection to trigger posture to ensure client hit the correct PSN that owns the RADIUS session. ISE 2.2 also adds option to deploy AC directly from a portal without redirection.
/Craig
08-02-2017 06:17 AM
Hi Ignacio,
you need to copy this file, ConnectionData.xml into:
C:\Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\ISE posture
Edit the xml file and instert he ISE URL:
t
ConnectionData.xml
<?xml version="1.0" ?>
<records>
<record>
<primary>postureportal.ise.YOUR-ISE.com</primary>
<port>8999</port>
<status_path>/auth/status</status_path>
<ng-discovery>/auth/ng-discovery</ng-discovery>
<time>1495024640</time>
<backups>
<backup>SECONDARY-ISE.com</backup>
</backups>
</record>
</records>
With this one, anyconnect can go straight to postureportal.
Remember that th URL redirect sometimes is banned from Firewalls along the way between the client with AC , the first L2 switch that intercept the URL redirect and ISE.
Stefano
08-02-2017 07:04 AM
That trick will only work if set to specific PSN or PSNs that may be RADIUS session owner.
With ISE 2.2 you no longer require URL redirection to trigger posture to ensure client hit the correct PSN that owns the RADIUS session. ISE 2.2 also adds option to deploy AC directly from a portal without redirection.
/Craig
08-02-2017 02:05 PM
Adding to Craig's, the AnyConnect Profile Editor for ISE Posture module, release 4.4+, has the option to define "Call Home List".
You might also want to take a look at
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide