ISE 1.2 Posture Assessment with AnyConnect Client

Similar Messages

• ISE post compliant posture assessment URL redirection

  G'day All,
  Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
  I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
  Thanks gang.
  Cheers,
  James.               

  It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
  I think  URL redirection can be done in web authentication if used in case of employee.
  Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
  Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
  Name
  Central_Web_Auth
  Description
  (optional)
  Access-Type
  ACCESS_ACCEPT
  DACL   Name
  CENTRAL_WEB_AUTH
  Centralized   Web Authentication
  ACL:
  ACL-WEBAUTH-REDIRECT
                                                            Redirect : Default
  “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

• Windows 8.1 Preview not working with AnyConnect Client

  I had Windows 8 and was running Cisco AnyConnect client 3.0.10055 perfectly.
  I upgraded to the Windows 8.1 preview and it tries to download update and then it fails and disconnects with the following message:
  An unknown termination error occurred in the client.
  Tried uninstalling and reinstalling the client, no luck.
  Any ideas?
  Thanks,
  Eric

  I had the same issue with windows 8.1 x64. I believe there is an issue with the windows 8.1 update process where it fails to update some of the drivers properly. I have noticed this issue with other windows drivers after the update. Follow the steps below and you VPN should work again.
  1. Uninstall Cisco Anyconnect client.
  2. Go to Device Manager and Disable Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
  3. Go to C:\Windows\System32 and rename vpnva64.sys to vpnva64_Old.sys.
  4. Reinstall Cisco Anyconnect client.
  5. Go to Device Manager, you see duplicated Cisco AnyConnect VPN Virtual Adapters. Uninstall one of them but do not check the option to remove the driver.
  6. Apply the registry fix in this blog: http://www.tomontech.com/2012/03/pro-tip-cisco-anyconnect-vpn-client-and-windows-8-consumer-preview/
  7. Try to connect again and your Cisco VPN should work. 

• SSL Certificate Mismatch with AnyConnect client

  Hello,
  We are having a problem with the AnyConnect client when connecting to our VPN.  We are running the following:
  AnyConnect v2.4.0202
  (2 each) ASA v8.2(1) -- active/standby failover
  AnyConnect Essentials Licensing
  NOTE:  We are not using certificates for authentication.
  Primary clients:  Windows XP and Windows 7
  Problem
  We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
  Steps to Reproduce
  Install the AnyConnect (AC) client via https://vpn.company.com/.  Connection occurs here without issue.
  Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
  The user must press Yes to bypass mismatch.
  PROBLEM:  On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
  The issue is we have a valid certificate that should be used for the connection.  However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name.  This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
  I have not been able to find any documentation on Cisco.com relating to this issue.  In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
  Thanks,
  -Matt

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• Posture Assessment with ISE for smartphones

  Hi support community..
  I would like to know if is posible to implement NAC for smartphones (android phones, iphone, ipads basically) using the ISE. the primary goal would be check that the smartphone has a Antivirus installed.
  Many Thanks in advance.

  I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
  Default Posture Status
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
  Jatin Katyal
  - Do rate helpful posts -

• ISE 1.2 Posture assessment (AV) system center endpoint

  the cisco NAC web agent can't detect AV (system center endpoint protection) is updated although it is updated.
  by troubleshooting , it seems it is related to Windows 8.1 as i tested the same AV on another machine Windows 7 and it is working.
  any body faced this issue?

  Support for Windows 8.1
  Cisco NAC Appliance Release 4.9(3) along with Cisco NAC Windows Agent 4.9.3.9 and Cisco NAC Web Agent Version 4.9.3.7 supports Microsoft Windows 8.1. See Also Patch Supporting Windows 8.1 and Mac OS X 10.9.
  In a Windows 8.1 client, in the metro mode, the NAC Agent shortcuts are available in the Apps screen instead of the Start screen.
  For a Windows 8.1 client machine, while configuring the user pages in CAM web console, if you have selected the web client as 'Java Applet Only' and enabled the 'Use web client to detect client MAC address and Operating System' option, then the client Operating System might be detected as Windows 8. While using Applet for Windows 8.1, configure the user page with WINDOWS_ALL. See Also CSCuj59700.

• Anyconnect endpoint assessment with anyconnect phones

  Hello,
  We are rolling out any connect endpoint assessment & would like to know what the impact is to existing any connect phones.
  We are looking to check on the OS version/domain membership/ & file checks. I'm not sure how this would impact VoIP endpoints as they are running firmware opposed to an OS.

  Hello
  Please forgive the shameless bump. Was hoping someone could help?
  Many thanks

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• AnyConnect Client shows 'Connected' even when it is not

  Hello,
  We have one Windows 8 user, with AnyConnect Client version 3.1.05152 (but we've seen this with a previous version).  He generally does not disconnect  his client, so it will time out at some point during the night, according to our logs.    However, several hours later, the client still indicates that it is connected.  Has anyone else seen this, and found a solution for it?
  Thanks
  MJ

  You can return a new Mac within 14 days of purchase.
  Return it and get another one.
  A new Mac comes with 90 days of free tech support from AppleCare.
  AppleCare: 1-800-275-2273

• Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

  We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.
  Do we get any additional advantages in using ISE compared to Anyconnect posture module ......
  Siddhartha       

  These are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.
  I will be watching this thread to see what kind of responses you get.
  As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.
  Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.
  We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.
  Wishing you luck in finding your answers for us all.
  Dirk

• Pre-login posture assessment - possible with ISE?

  Does anyone know if it is possible (or not) to have a windows machine posture assessed on boot? ie. before anyone logs in on it. Currently, I have to log in on my machine before the assessment starts. It would be good to have assessment begin as soon as the machine boots so that (assuming the machine passes assessment) it is completed by the time I log in. We are using the NAC Agent with ISE1.2.
  Thanks in advance for your thoughts.

  As far as i know, the posture agent does not do anything before user has logged in, i have never seen a posture report in ise, that indicates anything else, because you would get many failed posture compliance checks, if it did (checking user keys, user files, av status and so on in machine land).

• AnyConnect - Posture Assessment Failed: Unable to get the available CSD version....

  Hello all
  I am attempting to get the HostScan posture assessment working so we can check that any device connecting to the ASA is a valid corporate asset.
  I have installed the posture module onto our test client machine (Windows 8.1) using the following software:
  anyconnect-posture-win-4.0.00061-pre-deploy-k9
  Then in ASDM under Remote Access VPN > Host Scan Image I have uploaded the following package:
  disk0:/hostscan_3.1.06073-k9.pkg
  ...and ticked the box 'Enable Host Scan/CSD'.
  Under Remote Access VPN > Secure Desktop Manager I have configured an initial simple Prelogin policy to test it working, this simply just checks that the OS is Windows 8. A success should map this user to a Group Policy I have created that is mapped to a Connection Profile. 
  So, with all that said, when I try to connect I see that the AnyConnect client going through the motions: "Posture Assessment: Checking for updates....", after which I get a pop-up and error message:
  "Posture Assessment Failed: Unable to get the available CSD version from the secure gateway"
  A bit stumped here and haven't quite found much on the web as to how to resolve this.
  Has anyone encountered this before? If so, can you advise on what I can do
  By the way I am connecting using IKEv2 (IPsec) as these are the requirements and the AC version is 4.0.00061, ASA version: 9.2(1).
  Many thanks

  Hello
  Please forgive the shameless bump. Was hoping someone could help?
  Many thanks

• Cisco ISE inline posture node Posture assessment query

  Hi all,
  i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
  "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
  they are likely to fall into one of the identity groups that already have authenticated and authorized users
  connected to the network.
  For instance, there may be an employee, executive, and guest that have been granted access through the
  outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
  groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
  and authorization uses the existing installed profiles on the Inline Posture node, unless the original
  profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
  with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
  Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
  I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
  Thanks!
  Mario

  I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
  After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
  So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
  If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
  https://communities.cisco.com/docs/DOC-30977
  HTH,
  Ryan

• ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant

  ISE 1.2 - Posture Detail Assessment - enforcement audit mode report not show status for non-compliant.
  - For old version 1.1.4 it can be reported for non-compliant, How can I generate report for this? 
  Thanks
  Kosin Usuwanthim

  It used to be in there (id 226635 is the last one with it); should I clean it up a bit and put it back with a bit more of a disclaimer?

• Simple Web Auth policy and simple posture assessment policy in ISE

  G'day All,
  I've just finished reading through the Cisco BYOD with ISE document and it's left me a little more confused than when I started.
  I completely understand the onboarding process and the different policy elements that make up the self registration/onboarding configuration.
  What I'd like to do is put together an ISE configuration that is a lot simpler for the BYOD user.
  Is anyone able to advise if it is possible to have a single dot1x SSID with ISE that has a policy for Window Laptops using AD authentication for the user and Posture assessment and a policy for all smart devices (iOS and Android) that is just AD authentication of the user, without the need for device registration?
  The target user demographic for my deployment are really not technical so having to go through the onboarding process, especially for the Android devices, with the pre-installation of the cisco app, etc, really isn't what they are looking for.
  Huge thanks for any assistance.
  Cheers,
  JS

  Yes, that's possible. But without "device registration" then you need to configure Wireless 802.1x manually in every Android device.
  Please rate if that helps.