cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16031
Views
0
Helpful
16
Replies

Anyconnect NAM and ISE Posture on Windows 8 and Windows 7 machines

Rafael Mendes
Level 2
Level 2

Hello Everyone,

I'm testing the anyconnect client using the nam module to do the 802.1x process and the ISE posture module to do the posture using ISE version 1.3.

The question is about the profiles on Anyconnect client, i installed the Anyconnect Profile editor and i created one profile(xml file), but i don't know what i need to do with this file, where i need to put this file on windows 8 and 7? How can i create a "packet" to install this anyconnect modules in the other machines automatically with the new profile, whitout the "default" profile?

 

Thank you,

Rafael

16 Replies 16

nspasov
Cisco Employee
Cisco Employee

Hi Rafael-

Check the following thread about the xml file and what needs to be done with it:

https://supportforums.cisco.com/document/93891/anyconnect-secure-mobility-client-30-network-access-manager-profile-editor-windows

Furthermore, you can use something like Microsoft's SCCM or other products like Symantec's Altiris to push the NAM client and the XML file to multiple machines. 

I hope this helps!

 

Thank you for rating helpful posts!

Thanks Guys.

Now the NAM is working fine(i changed some auth modes and now is working).

At the moment i have a problem with the anyconnect posture ise module, i configured the profile but when the client goes up, it didn't find the policy server to do the posture validation/verification(No Policy Server detected).

 

I have some questions about this:

I'm confugiring the profile using the Posture profile editor standalone.

In Discovery Hosts, i can add more than one policy server or just one? 

In Server name rules, the correct is input the domain of the company, like *.company.com?

Configuration screen shot attached.

 

Hi Rafael,

Discovery host should not be your Policy Server(s), Discovery host is one host that the posture module tries to connect to with http, so that it can be redirected by either the switch or the wireless controller to the actual policy server that has the posture xml profile on it, just like with guest portal redirect. This is why you need to use a redirect to posture in your authz policy. If you don't posture agent will never find the policy server. I usually set the discovery host to some internal name that is resolvable, but that clients don't need access to. I attached som basic ise authz rules i use in my lab

Server name rules, refer to which policy server names you will allow the posture agent to connect to, once it has found a policy server via the redirect. It's quite simple to test if everything is set up correct in ise and in your switch/wlc. Just point your browser to the discovery host on http, and you should be redirected to one of your policy servers, and the page should be a posture provisioning type page.

Hi,

 

I am having the same problem... "No policy server detected"

I have left the discovery host as blank & server name rule as "*.company.com"

 

Rafael Mendes, Please advice if you have got this issue resolved. Thanks

Hi Mudars, 

Sorry for the late response.

Actually, follow the jan.nilsen configuration and probably everuthing will work :)

You need to have the configuration in ISE and the ACL configured manually on the switch to do the redirect.

 

Guys,

I have more one question, but this question is focused on the offline client, when we need to install the client and the profile together.

What is the correct name for the xml profile? I'm using the Anyconnect ISE Posture for windows, i'm including the profile with the name "configuration.xml" the same as nam, but didn't work.

At the moment i'm using the native suplicante(windows) and the Anyconnect ISE Posture client for posture validation.

 

Do you guys have this information? 

 

Thank you,

Rafael Mendes

 

NAM config has to be named "configuration.xml"

ISE Posture config has to be named "ISEPostureCFG.xml"

Thank you Jan :)

Where did you get this information? I didn't find this.

Do you have the doc link?

 

Do you know the Anyconnect Secure Mobility CLient Install Selector?

I'm selecting only the Anyconnect ISE Posture Checkbox, and i'm receiving the message "Failed to load the compliance module", need i select more one?

Look the attached file, please.

 

Thanks.

 

 

 

You have to install the AnyConnect VPN client first. Then you can install the ise posture module, if you don't need the actual vpn function, you can install it with the command line option on the msi package like so :

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx*

Also they have to be the same version. I never use the install selector, i just run the msi packages directly. Remember that your xml files need to be in different directories under the /Profiles directory that comes with the msi packages (nam under nam directory and ise posture under the posture directory

The filenames i have from having troubleshooted many times, and figuring out how this should be done.

 

Ok.

This command msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* will install the VPN Client(hide mode) and the ise posture client too?

 

I really need the documentation to learn more about this, do you have any link to send me?

Thank you for your patience! :)

Hi Rafael,

 

No, this command only installs the base module of anyconnect. You have to install the ise posture module seperately afterwards.

Ok.

So, i have these files(screenshot attached).

I'll install first the anyconnect-win-4.0.00048-pre-deploy-k9.msi file and than the anyconnect-iseposture-win-4.0.00048-pre-deploy-k9.msi, is it?

Need i install another one?

 

Yes, if you wan't to use nam, you also have to install that msi package.

anyconnect-nam-win-4.0.00048-k9.msi

Actually i'm not using NAM, i'm using the windows native suplicant to do the dot1x authentication.

 

I tested some instalations here and i saw that when i install the anyconnect client using the web deploy on ise, it installs the core file, the ise posture file and the compliance module file.

If i try to install manually these files that i told you above(core and ise posture), the anyconnect says "Failed to load compliance module" and really, i not installed the compliance module, but there is no compliance module file on that folder to install.

 

The Anycoonect 4.0 Admin guide just say :

 

"Before AnyConnect release 4.0, OPSW A T binaries were part of the HostScan package and installed with the HostScan installer . Y ou can download the HostScan support charts from cisco.com hereList of Antivirus,
Antispyware, and Firewall Applications .
For AnyConnect release 4.0, OPSW A T binaries are posted as a different package with its own installer , separate from the package installer and module that it is used by .
Only OPSW A T v3 library can be uploaded to ISE, and you can manually load to the ISE from the local file system or directly via the ISE Update Feed URL."

 

So, the big question is, how can i install this Compliance module using the offline mode? Where is this .msi? 

 

Thank you.

btw, the admin guide for AC 4.0, has most at what i have written in this thread

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: