Cisco ISE posture problem

Hi all,
I've been playing around with ISE demo and I am very impressed!!!
After trying different scenarios with my co-workers I came to a point where we find it kind of buggy.
I have rules to redirect unknown users to pasturing through web where they download NAC CLIENT and everything works fine.
Here's the catch:
On a windows 7 machine (connecting wirelessly with built in wireless client) they are stuck on posture pending if they do the following:
They connect - open up web browser - ise redirects them to download the client they hit install and the warning about installing the client pops up - that moment the user decides to close the browser (it's most likely to happen when you have 5000+ users)  - dissconnects from network and tries to re-connect again. NOW - when they open up the web browser ISE says unable to allow access to network and all that error.
So it's not letting them download the nac agent any more.. no matter what they do connect - reconnect wait 2-3 minutes nothing, only after a period of time they are able to get the NAC client installation page.
NOTE: this works totally fine on a windows xp machine with the INTEL PRO SET wireless utility.
It's not a big thing but when you have 5000+ clients and you want to introduce them to something new it will cause alot of helpdesk calls and all that you know how it goes.
Thanks in advance.
P.s I can create a short video of the whole process.

Very interesting thread. Can you tell me – how can ISE differentiate between a new/unknown computer owned by an employee and/or the organization, which you WANT to load the NAC client on, and a guest that you might want to give Internet access to but you don’t want to load a NAC client on?

Similar Messages

  • Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

    We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
    They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
    From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
    Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
    One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
    I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
    Any thoughts? Thanks in advance.

    Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
    Thank you for rating helpful posts!

  • Cisco ISE posture assesment and client provisioning

    Hello,
    I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
    Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
    Also, please provide me logs related to posture assesment and client provisioning.
    Thanks in advance.

    You may go through the below listed link to download a PDF link
    Posture assessment with ISE.
    http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco ISE Posture support Symantec or Mcafee AV in one condition

                       Hi Team,
                        Any one help me regarding the configuration of the Cisco ISE. We want to configure one compound condition
                        for mcafee or symantec av server. Can I configure in a such manner that the client pc can have either macfee
                        or symantec server then posture will be compliant.
                        Abhishek Agrawal

    Abhishek,
    This is possible, please use this link for reference:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
    Your AV vendor will have to be supported based on the release notes:
    http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE posture check for VPN

    Hello community,
    first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
    Thank you!

    The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
    The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
    http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

  • Cisco ISE posture requirements whats the ordering of requirements?

    Hi Everyone,
    I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
    I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
    - AV_installed : is the av agent installed ?, if not start installation from a network share
    - AV_started : is the av agent started ?, if not try to start the service
    - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
    Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
    Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

    Abhishek,
    This is possible, please use this link for reference:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
    Your AV vendor will have to be supported based on the release notes:
    http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE 1.2.x with Posture Configuration - Windows Patches

    Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
    With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
    pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
    Thanks.

    Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

  • Cisco ISE trying to posture a device that should not be able to be postured

    Overview:
    Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.
    Mobile device authorisation policy configured:
    Problem:
    A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.
    Troubleshooting:
    I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".
    I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.
    Have any of you guys experienced this before?

    Hi,
    I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.
    I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.
    Tarik Admani
    *Please rate helpful posts*

  • Posture setup in Cisco ISE

    Dears
    I am trying to configure the posture for the ISE but the result is always " Posture status : pending " and the agent can access all network resources without any problem .
    please help

    Please review the below steps:
    Step 1 Choose Administration > System > Deployment >  Deployment.
    The Deployment navigation menu appears. Use the  Table view or the List view button to display the
    nodes in your deployment.
    Step 2 Click the Table view.
    Step 3 Click the quick picker (right arrow)  icon to view the nodes that are registered in your deployment.
    The Table view displays all the nodes that are  registered in a row format in the Deployment Nodes page.
    The Deployment Nodes page displays the Cisco ISE  nodes that you have registered along with their
    names, personas, roles, and the replication status  for the secondary nodes in your deployment.
    Step 4 Choose a Cisco ISE node from the  Deployment Nodes page.
    Note If you have more than one node that is  registered in a distributed deployment, all the nodes that
    you have registered appear in the Deployment Nodes  page, apart from the primary node. You
    have the option to configure each node as a Cisco  Cisco ISE node (Administration, Policy
    Service, and Monitoring personas) or an Inline  Posture node.
    Step 5 Click Edit.
    The Edit Node page appears. This page contains the  General settings tab that is used to configure the
    Cisco ISE deployment. This page also features the  Profiling Configuration tab, which is used to
    configure the probes on each node.
    Note If you have the Policy Service persona  disabled, or if enabled but the Enable Profiler services
    option is not selected, then the Cisco ISE  administrator user interface does not display the
    Profiling Configuration tab. If you have the Policy  Service persona disabled on any Cisco ISE
    node, Cisco ISE displays only the General settings  tab. It does not display the Profiling
    Configuration tab that prevents you from  configuring the probes on the node.
    Step 6 On the General settings tab, check  the Policy Service check box, if it is already active.
    If the Policy Service check box is unchecked, both  the session services and the Profiler service check
    boxes are disabled.
    Step 7 For the Policy Service persona to run  the Network Access, Posture, Guest, and Client Provisioning
    session services, check the Enable Session Services  check box, if it is not already active. To stop the
    session services, uncheck the Enable Session  Services check box.
    The posture service only runs on Cisco Cisco ISE  nodes that assume the Policy Service persona
    and does not run on Cisco Cisco ISE nodes that  assume the administration and monitoring
    personas in a distributed deployment.
    Step 8 Click Save to save the node  configuration.

  • Remote Access VPN posturing with Cisco ISE 1.1.1

    Hi all,
    we would like to start using our ISE for Remote VPN access.
    We have run a proof of concept with the ISE & IPEP with a Cisco ASA5505. We got the authentication working however posturing of the client did not work.
    That was a few months ago and so I was wondering whether any design document is available specifically around Using the Cisco ISE for Authenticating & Posturing Remote Access VPN clients.
    I understand that version 9 of the ASA code is supposed to eliminate the need for Inline Posture, does anyone know whether this will also allow posturing too?
    We do intend to by Cisco ASR's aswell, but I am sceptical of this as i do not know how many VPN licenses you get out of the box. The ASA's we have allow up to 5000 IPSec VPNs without having to purchase any licensing. What I do not want to do is to switch to SSL VPNs as this again will increase cost.
    I know ISR's are support NADs but what about ASRs? There is no mention.
    Any advise will be appreciated!
    Mario

    OK, I have come accross the Cisco Validated design for BYOD and in there it has a section about Authenticating VPNs.
    thats great... however it does not mention using the Inline posture node. Does anyone know if there is a limitation using Inline Posture and SSL VPNs...?
    essentially my requirements are
    2-factor authentication VPN using a Certificate & RSA Token
    Posturing of the VPN endpoint.
    Ideally i would like to use IPSec VPNs as i have licenses already for these on my ASAs. But if it will only work with SSL & AnyConnect, then so be it.
    Can anyone help?
    Mario

  • Cisco ISE AD (Windows Server 2013) Authentication Problem

    Background:
    Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
    Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
    Problem:
    Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
    Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
    xxdc01.xx.com (10.21.3.1)
    Pinged:0 Mins Ago
    State:down
    xxdc02.xx.com (10.21.3.2)
    Pinged:0 Mins Ago
    State:down
    xxdc01.xx.com
    Last Success:Thu Jan  1 10:00:00 1970
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:0
    Failures:11006
    xxdc02.xx.com
    Last Success:Mon Mar 11 09:43:31 2013
    Last Failure:Mon Mar 11 11:18:04 2013
    Successes:25
    Failures:11006
    Domain Controller: xxdc02.xx.com:389
        Domain Controller Type: Unknown DC Functional Level: 5
        Domain Name:            xx.COM
        IsGlobalCatalogReady:   TRUE
        DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
        ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
    Action Taken:
    Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
    2)     Tested wireless authentication using EAP-FAST but same problem occurs.
    3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
    12304  Extracted EAP-Response containing PEAP challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store - AD1
    24430  Authenticating user against Active Directory
    24444  Active Directory operation has failed because of an unspecified error in the ISE
    4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
    5)     Tested wireless on different laptos and mobile phones with same error
    6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
    7)     Restarted ISE services
    8)     Rejoin domain on Cisco ISE
    9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
    10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
    Other possibilities/action:
    1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
    2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
    Anyone out there experienced something similar of have any ideas on why this is happening?
    Thanks.
    Update:
    1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
    2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
    This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

    Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
    Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

  • Cisco ISE inline posture node Posture assessment query

    Hi all,
    i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
    "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
    they are likely to fall into one of the identity groups that already have authenticated and authorized users
    connected to the network.
    For instance, there may be an employee, executive, and guest that have been granted access through the
    outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
    groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
    and authorization uses the existing installed profiles on the Inline Posture node, unless the original
    profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
    with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
    Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
    I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
    Thanks!
    Mario

    I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
    After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
    So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
    If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
    https://communities.cisco.com/docs/DOC-30977
    HTH,
    Ryan

  • Cisco ISE (1.3) Posture without Client Provisioning

    Hello readers,
    Is it possible to set up Cisco ISE with posture without Client Provisioning?
    My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
    Regards,
    Dennis

    With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
    Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
    On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

  • Problem to get Web admin access on cisco ISE

    Hi,
    We are currently having problems to access via Web admin UI to cisco ISE. after we put the password, we get this message on screen:
    authentication failed due to zero RBAC group.
    The ISE version that we are using is: 1.1.2.145 path 3
    Do you have any idea about that?
    Thank you for your attention on this matter.
    Regards.

    In Cisco ISE, RBAC policies are simple access  control policies that use RBAC concepts to manage admin access. These  RBAC policies are formulated to grant permissions to a set of  administrators that belong to one or more admin group(s) that restrict  or enable access to perform various administrative functions using the  user interface menus and admin group data elements. I think there is problem with your RBAC policy configuration. Please follow the below link for help.
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1282656
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_identities.html#wp1283009

  • Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

    Hi all,
    When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".
    My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.
    Does anyone get this problem, please help.
    I have check into the ISE CLI Reference Guide 1.1.x
    You are about to configure Active Directory settings.
    Are you sure you want to proceed? y/n [n]: y
    Parameter Name: dns.servers
    Parameter Value: 10.77.122.135
    Active Directory internal setting modification should only be performed if approved by ISE
    support. Please confirm this change has been approved y/n [n]: y
    What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?
    Please suggest for this too.
    Thanks and Regards,
    Pongsatorn M.

    Hi Pongsatorn,
    Thanks for the reply!
    I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.
    It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:
      Testing Active Directory connectivity:
        Global Catalog: pdascdc02.xyz.com
          gc:       3268/tcp - refused
      Testing Active Directory connectivity:
        Global Catalog: pdascdc02.xyz.com
          gc:       3268/tcp - refused
    For some reason, the request to the controllers on port 3268 is being refused.
    Any thoughts you might have are greatly appreciated.
    Cheers,
    Greg

Maybe you are looking for