Ise posture status notapplicable

Hello ,
         after upgrading ISE 1.2 to 1.2.1 , I can't see posture status (pending) although it is working properly. I tried to install patch 1 but the same result.
before upgrading , posture status was Pending when posture status still not reach to ISE.

I have same problem too.
When workstation install NacAgent 4.9.4.3 successfully, then the posture will be stucked.
I didn't see about NAC Agent on report: "Posture Detailed Assessment" and "Client Provisioning"
Any help or advice please ? Should I configure the redirect ACL, dACL, switch ACL, or something like that ?

Similar Messages

  • [ISE] Posture Status - Not applicable

    Hi,
    I configured WiFi Guest Access with WLC and ISE and it works great.
    Now I want to check client posture.
    I configured a posture policy
    On Windows7 client, I installed NAC client. With network sniffer, I can see SWISS protocol (TCP 8905) between client and ISE.
    In authentications log, Posture Status is always "NotApplicable"
    Why is this posture not applicable?
    Thanks a lot!
    Patrick

    Hello Tarik,
    Result NonCompliant: http://uploaddeimagens.com.br/imagens/result_noncompliant-jpg
    Posture rule: http://uploaddeimagens.com.br/imagens/posture_rule-jpg
    The client provisioning is set to force NAC Agent version 4.9.0.47
    Yes, the vlan is correct.
    The major problem is the NotApplicable ststus in the posture log, the ISE is not applying the posture, some times works fine, some times dont work and appear the NotApplicable in the log.

  • ISE Posture Status Pending

    Hello,
    I am newly configuring and testing  Posturing/Client Provissioning on ISE.  I configured Client_Provissioning Policy without any Posture_Policy just to test it works or not.
    My Wireless client can authenticate and get and install NAC_Agent successfully,  but after that no network access is given to the client pc. 
    on the ISE Authentication Reports it shows ( Posture Status Pending )
    and on the Wireless client everytime when i open browser i get this message " Cisco Agent was detected and is running. If you are still unable to access the network please contact you administrator"
    I dont know what is the issue, plz help

    Hi Ravi,
    I have not yet configured any Posture policies.  i have configured only client-provissioning policy, i want to first test client-provissioning works properly before applying any Posture-Policy.
    So My wireless clients are correctly redirected and recieve NAC Agent, but afterthat it seems that the NAC_Agent does not do anything and does not send any report back to ise for further processings.
    on the ise Authentication Report i can see, the client is stuck in UKNOWN-STATUS , and shows Posture_Status Pending...
    it does not go to Uncompliant or Compliant Status.
    I dont know what can be the issue? neither ISE shows me the error , nor the WLC.

  • Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

    We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
    They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
    From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
    Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
    One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
    I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
    Any thoughts? Thanks in advance.

    Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
    Thank you for rating helpful posts!

  • Posture Status for Smartphones - Android - Pending

    I am trying to pass smartphones through our ISE infrastructure.  I have Windows working properly, it assigns a certificate, joins to the employee network, installs the NAC client, and requires remediation action.
    When an Android phone (haven't tried iOS yet) tries to connect it receives a certificate, is profiled as Android, and then gets stuck in posture status pending.
    I have attached a screenshot.
    Thanks.

    I was thinking - would reducing it to Registered Device (only registered devices would authenticate with 802.1x anyway) and SessionOS equals Android be vague enough to catch it and not allow it to pass?
    Endpoint Id
    C8:AA:21:02:16:75
    Endpoint Profile
    Android
    IP Address
    Identity Store
    Identity Group
    RegisteredDevices
    Audit Session Id
    ac1e10450000120e52056988
    Authentication Method
    dot1x
    Authentication Protocol
    EAP-TLS
    This is how one android device is being profiled - I would guess that would allow it if I opened the rule up more?

  • ISE Posture for non-agent device problem

    I have a couple of questions:
    - They said it the documents: "these (non-agent) devices assume the Default Posture Status settings". I wonder how ISE determines that a device is a non-agent device, or to put it another way, when is the Default Posture Status settings applied to a device? Is it after some period of time not receiving anything from the agent? If yes, can and where do I change that time in ISE?
    - I tested this with my lab and saw that: after the user successfully login with his account, and the Authorization profile with Client provisioning is applied to that session, the user goes to a web page and gets redirect to the CPP page. Now if he just sits there and doesn't install the NAC agent, I noticed that after about 40s, the session is automatically restarted to a new one, with a different session ID, but the same username. The new session gets to the point where the same redirect Authorization profile is applied and the whole process cycles over and over. Things I observed each time the session restarts:
    + The user doesn't even have to enter the credentials again. The 802.1x login doesn't popup 
    + The Default Posture status (I set it to Noncompliant) is applied to the session right before it restarts. I can see an event on ISE indicating that. The event also shows the Acct-Terminate-Cause as "Admin Reset"
    + If at any point, the user installs a NAC agent then he can break the cycle (e.g becomes compliant) and carry on with other Authorization profiles
    So my question is: is that expected behavior of ISE? Although it seems no harm except new sessions are created continously
    Or have I configured something wrong?

    Anybody?

  • ISE Posture Assessment

    Hi,
    While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
    If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
    While testing this on ISE, I noticed that
    If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
    Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
    Regards,
    Aditya

    I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
    Default Posture Status
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
    Jatin Katyal
    - Do rate helpful posts -

  • ISE default settings for "ISE - Process Status"

    Please put default settings for alerts "ISE - Process Status" for CiscoISE (PAN / Operations / Alarms / Rules / Criteria / Monitor Processes).
    For example, for version 1.1.4.218 for virtual machines.
    Thanks in advance!

    Hi
    You can view process status for the network from the Cisco ISE dashboard using the System Summary dashlet. For example, when processes like the application server or database fail, an alarm is generated and you can view the results using the System Summary dashlet.
    One of the requirements for creating an alarm rule is that you assign it to a schedule. The following task shows you how to create an alarm rule, and then assign it to a schedule.
    The following default alarm rules are shown in the user interface:
    • ISE - AAA Health
    • ISE - Process Status
    • ISE - System Errors
    • ISE - System Health
    You can create these alarm rules using the following procedure:
    • Passed Authentication
    • Failed Authentication
    • Authentication Inactivity
    • Authenticated But No Accounting Start
    • Unknown NAD
    • External DB Unavailable
    • RBACL Drops
    For more information about configuration etc please go through this link:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
    at page no.928

  • ISE posture requirement to check if endpoint's USP port is disabled

    Hi,
    I wonder if it is possible to set the disabled USP Port in the endpoints as a requirement in ISE Posture ?
    Appreciate your input.
    Mike

    If your question pertains to the capability of the ISE disabling the USB port on a PC, then the answer is no.
    Using the NAC agent, however, you can check various programs and may be able to check the condition of USB.
    You would have to create a New Posture Condition and Remediations.
    The condition that I will use in this example is a Registry Key.
    If the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start" has a value of 3, the USB is enabled.  A value of 4 is disabled.
    So set a Posture Condition:
    Click Policy > Policy Elements > Conditions
    Choose Posture from the left menu:
    Then choose Registry Condition from the left menu.
    Click +Add to add a new Posture Condition:
    Then you have to create Remediation Actions.  Click the Results button at the top of the left Menu:
    Choose Remediation Actions and choose the Remediation you want to use.  I chose Link Remediation.
    +Add to add a new Link Remediation:
    Then choose Requirements from the left menu and create a new Remediation Result:
    Of course, you can choose different remediations as necessary for your environment.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • ISE 1.1.3 posture status OK but network connection failed

    hello,
    I am on my way to make this ISE works.
    Now I am able to do posture assessment and reauthenticate with success.
    The logs says that's OK, I have two lines.
    NACAgent on the host do the job correctly but the NIC says : "Network failure" despite NACagent grants the access.
    Any Ideas folks ???
    Regards.
    Vincent.
    The switch says :
    03:04:28: %AUTHMGR-5-START: Starting 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
    03:04:59: %DOT1X-5-FAIL: Authentication failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID
    03:04:59: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
    03:04:59: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
    03:04:59: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
    03:04:59: %AUTHMGR-5-FAIL: Authorization failed for client (bcae.c530.0948) on Interface Fa1/0/1 AuditSessionID C0A8066400000028009C4FA8
    Here is the SW's config :
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 192.168.6.10 server-key 123456789
    aaa session-id common
    no ip domain-lookup
    ip domain-name security.com
    ip dhcp excluded-address 192.168.6.29 192.168.6.100
    ip dhcp pool test
       network 192.168.6.0 255.255.255.0
    ip dhcp snooping vlan 1
    ip device tracking
    dot1x system-auth-control
    dot1x critical eapol
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface FastEthernet1/0/1
    switchport mode access
    authentication open
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    interface Vlan1
    ip address 192.168.6.100 255.255.255.0
    ip classless
    ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    snmp-server community snmp RO
    snmp-server enable traps mac-notification change move threshold
    snmp-server host 192.168.6.10 version 2c snmp  mac-notification
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
    line vty 5 15
    ntp clock-period 36029254
    ntp server 192.168.6.29
    end

    Hello Tarik, thanks for trying to help !
    I guess that we all have configured the Sw and ISE as described in the documentation.
    It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.
    No IP Phone at all.
    How to configure dACL on ISE ? ( pre-posture, redirect ) ????
    What are the ports ? ( 8443, 8905n any ?)
    Do we need a ACL to be set in the Sw before the dACL is applied ???
    Please answer those questions first, and we will provide you some logs.
    I'am not able to have a stable behaviour any more.
    Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)
    We waste of lot of time trying not to debug the software, but trying to find which parts work together.
    Thanks again Tarik.

  • ISE Posture Condition for Windows Service Pack and Remediation

    Hi,
    We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
    1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
    2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
    3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
    4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
    appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
    thanks in advance.

    1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
    You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
    The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
    check the following link for  configuration
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
    2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420

  • ISE posture redirect not working

    ISE v1.1.0.665, 3395 h/w.
    Single Admin/Monitor/Policy node.
    WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
    For Client Provisioning I created an authorisation policy as follows:
    download acl "ACL-POSTURE-REMEDIATION"
    apply url redirect "ACL-POSTURE-REDIRECT".
    "Debug radius" shows all this is downloaded to the switch but:
    - Redirect does not work.
    - dACL is not applied if the URL redirect is also configured.
    Wireshark on the client shows no direct.
    Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
    I've also attached screen shots of these policies and wireshark.

    Grant,
    It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
    192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
    Thanks,
    Tarik Admani

  • Cisco ISE posture assesment and client provisioning

    Hello,
    I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
    Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
    Also, please provide me logs related to posture assesment and client provisioning.
    Thanks in advance.

    You may go through the below listed link to download a PDF link
    Posture assessment with ISE.
    http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ISE posture based upon switch user is connected to

    OK, I am a new ISE user and definitely an early beginner on creating ISE policies. I have successfully created a policy that can determine if you are using a corporate asset or not and using 802.1x authentication grant you access to corporate resources or not. This policy also assigns the VLAN the user is placed into. Seems to work quite well so far at least as a baby step in policy creation.
    Our building has different VLANS based upon floors and the like and I would like the policy(s) take this into consideration when assigning the VLAN. Is there a way to include which switch the postureing process is flowing through to assist in assigning the VLAN? I am thinking I would have separate policies based upon the switch / stack but not sure how to include that in the logic. I figured it would be similar to my policy where I check corporate assets and that you are wireless and that you have a valid AD account but have been unable to figure out the endpoint part. I have created network groups for my network devices but am stumped after that. Is there something else I should or could be doing instead? Do I need a completely different train of thought?    
    Brent

    Hello Brent, using "Network Device Groups" can definitely make this possible for you. For instance, you can create a "Location" based group hierarchy that looks like something like this:
    All Locations > HQ > Floor-1
    All Locations > HQ > Floor-2
    All Locations > DR > Floor-1
    etc
    Then you can reference that group in your authorization policy by using something like this
    If "Conditions > Device > Location" = All Locations > HQ > Floor-1
    then
    Permissions = "HQ_Floor-1-Posture"
    If "Conditions > Device > Location" = All Locations > HQ > Floor-2
    then
    Permissions = "HQ_Floor-2-Posture"
    I hope this helps and addresses your issue. 
    Thank you for rating helpful posts!

  • Cisco ISE posture requirements whats the ordering of requirements?

    Hi Everyone,
    I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
    I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
    - AV_installed : is the av agent installed ?, if not start installation from a network share
    - AV_started : is the av agent started ?, if not try to start the service
    - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
    Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
    Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

    Abhishek,
    This is possible, please use this link for reference:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
    Your AV vendor will have to be supported based on the release notes:
    http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • Jabber for iPhone cannot call over Expressway. Expressway says: Bad Extension

    Hi, I've had Expressway working but now calls from/to Jabber for iPhone fail with a message "Bad Extension" in Expressway-E. Is there someone that is willing to share the search rules of Expressway-E required that are required for Jabber to make/rece

  • How can I have a different set of cookies per tab ?

    I want to have more than one login to google, wikipedia, web mailer etc. at a time, all of which are implemented as cookies, without the need for multiple profiles, because those force me to have more than one window, bookmarks, set of preferences et

  • Convert string to quantity

    Hi, Dear all DATA: L_STR TYPE CHAR50,            L_FKIMG TYPE FKIMG. DATA: BEGIN OF LS,              FKIMG TYPE VBRP-FKIMG,           END   OF LS. L_STR = '200'. CATCH SYSTEM-EXCEPTIONS ARITHMETIC_ERRORS = 4                                    OTHERS

  • Single select option in table view as radio button without design

    Hi, When I use the Content design = "Design2002" or design = "Design2003" then I get a checkbox in table view by giving the single select option. But when I do not use any design for the Content then I get a radio button in the table view. How do I g

  • Horrible things happening after installing Mac OS X 10.6.6

    After I installed the update, my computer began to freeze almost every other minute. It was horrible. It slowed down everything. All the apps would freeze. The beach ball of death as it is known would pop up almost everytime I did anything. Spotlight