Lab Minutes Forum

Technical Discussion => Security => Topic started by: Ted on October 07, 2015, 08:43:33 PM

Title: ISE posture using predeploy method and posture discovery
Post by: Ted on October 07, 2015, 08:43:33 PM

Hi All,
We have a scenario to pre-deploy any-connect 4.x NAM and posture modules to corporate PCs. Pre-deployment is using a windows software distribution method for the any-connect packages and the profiles (created using profile editor).  Because we will not use the CPP method of provisioning how does the posture module discover the ISE hosts.  There are three PSN nodes in a distributed setup and in node groups.

My understanding is to keep the discovery host field black and let the posture agent to identify the PSNs. In a pre-deployment scenario how does this work because there is no CPP redirection using a browser?
 

Thanks in advance.

Regards
Ted

Title: Re: ISE posture using predeploy method and posture discovery
Post by: MC on October 08, 2015, 09:56:41 AM

As long as ISE returns a posture redirect URL, the posture agent will contact whatever ISE node listed in that URL without using having to open a browser. So set everything up normally and the only difference would be user not having to download the agent through the web.

Title: Re: ISE posture using predeploy method and posture discovery
Post by: Ted on October 08, 2015, 03:23:59 PM

Hi MC

Thanks for the reply and will give it a go.
just to clarify,how would the agent will try to reach the PSNs first initially as there is no browser is used to do a redirection and to create a session?


Ted

Title: Re: ISE posture using predeploy method and posture discovery
Post by: MC on October 09, 2015, 10:32:48 AM

I believe the agent should make its own web connection on the background, hit the redirect URL, and find out about ISE node that way.