Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
10
Helpful
2
Replies

ISE 2.2 AnyConnect Posturing without using redirect

Go to solution
hruizman
Cisco Employee
Cisco Employee

‎04-25-2018 11:32 AM

Hello, I have a challenge. I have AnyConnect posture for Antivirus. My computers go to hibernate and after returning from hibernation my Office 365 connection sends me a certificate warning. I assume this is due to the redirection of TCP 80/443 to client provisioning and the ISE PSN certificate being presented instead of Office 365.

Since finding out about Office 365 IP addresses would be a paramount, I thought of having AnyConnect statically look for the PSN/CPP. Has anyone done this? Any guidance on how to accomplish this?

I appreciate it.

Homero Ruiz

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎04-25-2018 04:41 PM

Per Re: Posture 2.2-style, you can setup a direct link Client Provisioning Portal.  Even if redirected to PSN after connection lost, the portal cert should be trusted.  However, if redirecting HTTPS, then that would explain cert warning for the NAD itself.  Yes, ISE 2.2 Posture without redirect could be used to send request to PSN directly for redirect without NAD intervention.

View solution in original post

2 Replies 2

Go to solution
Craig Hyps
Level 10
Level 10

‎04-25-2018 04:41 PM

Per Re: Posture 2.2-style, you can setup a direct link Client Provisioning Portal.  Even if redirected to PSN after connection lost, the portal cert should be trusted.  However, if redirecting HTTPS, then that would explain cert warning for the NAD itself.  Yes, ISE 2.2 Posture without redirect could be used to send request to PSN directly for redirect without NAD intervention.

Go to solution
paul
Level 10
Level 10

‎04-25-2018 07:14 PM

The other thing I would say to as this seems to be a common issue people post on is if you aren't using the CPP portal to install anything for posturing (I never do outside of testing), then the URL redirect only needs to intercept port 80 calls to discovery methods, i.e. default gateway, enroll.cisco.com or discovery host.  You can still DACL/ACL block traffic in a preposture state but you don't need to URL redirect anything other than the discovery methods.

I see too many people redirecting all HTTP/HTTPS traffic then when the OS is doing portal detection or sending out web traffic it ends up kicking up the CPP page and causing confusion.

Customers Also Viewed These Support Documents