NAC 4.7

Similar Messages

• NAC SSO in Windows 7 not Working

  Hello,
  I'm having problems with SSO process on workstations with Windows 7 and I need help to solve it.
  ENVIRONMENT:
  Clean Access Manager: 4.9.0
  Clean Access Server: 4.9.0
  Clean Access Agent: 4.9.0.33
  Compliance Module: 3.4.27.1
  Windows Domain : Windows 2003 Server Full Functional Level
  Status of Active Directory SSO: Started
  More Informations:
  In Windows Domain Controller, i ran the follow command with no errors:
  ktpass  –princ NAC_USER/[email protected] -mapuser NAC_USER –pass mypass –out c:\nac_user.keytab –ptype  KRB5_NT_PRINCIPAL
  The file nac_user.keytab was created in c:\ of DC.
  in Windows XP Workstations, SSO is working correctly
  in Windows 7 workstations work when i manually enable DES in "Start > Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies/Security > Options >  Network security > Configure encryption types allowed"
  I have many workstations running Windows 7 and can not do this manual procedure in all of them.
  running tail -f /perfigo/access/tomcat/logs/nac_server.log command in CAS, i see the follow messages during an attempt to do SSO with unchanged Windows 7:
  2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 WARN  com.perfigo.wlan.jmx.adsso.GSSServer               - Server was not running ...
  2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server starting server ...
  2012-03-09 11:45:21.329 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server is now running ...
  2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - SPN : [NAC_USER/[email protected]]
  2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - building kdc list for domain mydomain.net
  2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - done building kdc list for domain mydomain.net
  2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - KDC(s) :[srvslsdc001.mydomain.net, srvpnpdc001.mydomain.net, srvpnpdc002.mydomain.net, srvalvdc001.mydomain.net, srvtatdco001.mydomain.net, srvtatdco002.mydomain.net, srvpaldc002.mydomain.net, srvmurdc001.mydomain.net, srvnundc001.mydomain.net]
  2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
  2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
  2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - creating login context ...
  2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - created login context ...javax.security.auth.login.LoginContext@b55e97
  2012-03-09 11:45:21.631 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Notifying GSSServer status Started
  2012-03-09 11:45:21.807 +0100  Thread-88 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...
  2012-03-09 11:45:42.285 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - opswat=3.5.2.1 dm_opswat=3.5.2.1
  2012-03-09 11:45:42.329 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - SWissServer: OPSWAT SDK Path=https://10.5.33.10/perfigo_download/CCAA/opswat-win.zip
  As we can see, I restarted the AD SSO service and the two bold lines are the records while trying to SSO with Windows 7, but without success.
  NAC Agent pop-up request for manual authentication.
  does anyone know how to solve this trouble?
  If you need more information please let me know .....
  Regards,
  Daniel Stefani

  Hi Guys,
  When I changed the files /perfigo/access/tomcat/conf/krb.txt and /perfigo/access/bin/starttomcat in CAS according to the configuration guide:
  /perfigo/access/tomcat/conf/krb.txt
  [libdefaults]
  kdc_timeout = 20000
  default_tkt_enctypes = RC4-HMAC
  default_tgs_enctypes = RC4-HMAC
  permitted_enctypes = RC4-HMAC
  and
  /perfigo/access/bin/starttomcat
  CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"
  an error was generated in nac_server.log when i tried run SSO Service.
  ERROR:
  2012-03-07 11:52:50.655 +0100  Thread-77 ERROR com.perfigo.wlan.jmx.adsso.GSSServer               - Unable to start server ... KDC has no support for encryption type (14)
  But I remembered that during the changes, I checked the options for the user account I'm using to run the service to Use DES encryption types for this account.
  When i uncheck this option in user account options and kept the changes to files krb.txt and starttomcat,  the SSO service started with no errors and Windows 7 users now do the SSO too.
  tks,
  Daniel Stefani

• Use of NACE after creating print program n smart form

  Wat's d purpose of NACE?I hav created my own print program n smart form according to my own requirement.If NACE is necessary 4 my smart from.How can i use NACE i mean navigation steps.
  Please help me out.Its urgent.
  Thanks & Regards,
  Santhosh.

  Hi Santhosh,
  Nace is for message control settings. Say if u want to trigger a Smartform or an Idoc or any other customized program u can do the message control settings.
  Say at the time of Sales Order creation or updation u want to trigger a Smartform, then u have to follow the following steps:
  Goto NACE
  Select application V1 and then click Output Type.
  create a new Output type or copy the existing one abd save it with new name
  then in Processing Routine Mention the driver program name and in Form routine mention the main subroutine name.
  In Smartform mention your SMartform name and also the layout if u have ceated.
  Again go to NACE and Select application V1 and press Procedures.
  here out of the many procedures u have to select the right one and attach your Output Type to it.
  You can also create a condition record..Say if u want to trigger this Smartforms for Sales Order of particular type.
  Hope this helps.
  Reward Points if useful.
  Thanks.

• NAC firmware upgrade from 4.1.3 to 4.7 or 4.8, anyone?

  I currently have 1 CAS 3310 Failover Bundle for Wireless user, and 1 CAM Lite Failover Bundle for management.
  ACAS, CAM and Clean Access Agents are running 4.1.3. We are considering an upgrade in particular because some end-users machine are soon to be Windows 7. Our authenticaion for users is provided by AD SSO.
  I would like to know your experience when doing such a major jump (4.1.3 to 4.8.1). Looking for gotchas and known issues. Also what the incremetal upgrade path look like.
  I was thinking we can go 4.1.3 -> 4.6.1-> 4.8.1. Any other way or recommendation. CIsco is highly recommending we go to 4.8.1 if all possioblem.
  I am also aware that we need to create new root  certificates.
  Appreciate input.
  Thanks,
  Rosa

  Hi,
  Yes, that is the correct upgrade path: 4.1.3 -> 4.6.1 -> 4.8.1.
  I would recomend you to go through the Release notes for 4.6.1 and 4.8.1 for all the known gotchas and detailed upgrade process.
  Gotchas/changes/upgrade process for 4.6.1: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/461/461rn.html#wp65900.
  Gotchas/changes/upgrade process for 4.8.1:http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/481rn.html#wp65900.
  Regarding the certificates, you should not use the self signed certs due to security reasons, and they should only be used for lab purposes.
  This means that it still works with the self signed, but you need to import the CAS cert into the CAM trusted certification authorities and vice-versa, so that the CAM trusts the CAS cert and vice-versa.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco Nac 3310 Upgrade From 4.1.6 to 4.7.2

  Hi,
  I've to upgrade the NAC Enviroment from 4.1.6 version to 4.7.2 version.
  This is the scenario.
  2 CAM
  2 CAS
  on 3310 Platform in HA-Pairs.
  On Cisco WebSite i found that upgrading to 4.7.2 is possible by this way: 4.1.6 --> 4.1.8 --> 4.5.1 --> 4.7.2. I think that the direct upgrade 4.1.6 --> 4.5.1 is possible. Can you confirm me that?
  Well, I've some questions about this upgrade.
  1) If the upgrade fails, is there any rollback task to do? Reinstall the CAM/CAS and restore the backup or what?
  2) Can you tell me the downtime for the upgrade 4.1.8 --> 4.5.1?
  3) The downtime for the upgrade 4.5.1 --> 4.7.2 ?
  Thanks in advance for the support!!!

  Thanks you very much, really appreciate your help!
  I will follow the procedures that Cisco indicates and i hope that everything will work fine!
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/418/418rn.html#wp75888
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/45rn.html#wp75888
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/472rn.html#wp75888
  I noticed that the tar.gz for the 4.7.2 frome 4.5.x upgrade is an ISO file. Is this the correct file?
  The attach image shows the content of the file: cca_upgrade-4.7.2-from-4.5.x-4.6.x.tar.gz
  Is right?

• NAC 4.5 ADSSO on multiple AD servers not working, how to troubleshoot?

  Hi All,
       I'm handling a NAC (CAS and CAM ver 4.5) to be implemented to a network on production.  The network has two working AD servers, one acting as back-up.  We want to configure the NAC to be able to run ADSSO even if the active AD fails, so we configured NAC to run ADSSO on multiple servers.  I followed the documents, run ktpass for multiple ADs, installed kerbtray to see Kerb tickets, but still I'm puzzled of the problem.  My CAS shows the the ADSSO service is already started, but my workstation cannot perform Single-sign On.  After the "performing AD authentication" window, the agent then reverts back to as a local account.  Please help guys.  I'm willing to share other details about this.  Thanks.
  Regards,
  Dan

  Hi Faisal,
       The Unauthorized role is already in all trafic enabled policy.  My problem is that the KT that is shown in the workstation is different from the one I created using ktpass, although I matched the cases of the domain and the one in the ktpass.  I deeply appreciate if you can help.  Thanks.
  Regards,
  Dan

• NAC Guest Server, How to change the password for a single user?

  We have a NAC Guest Server which creates a complex password for all new users created.
  We would like to have normal/simple password for a single user. How can I get this done on a NAC Guest Server.
  Thanks in advance.

  Hi,
  You can setup 3 different flavours of passwords:
  http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063249.
  a. Username Policy 1 - Email address as username
  Use the guest's email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
  b. Username Policy 2 - Create username based on first and last names
  Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number.
  c. Username Policy 3 - Create random username
  Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
  Note: The total length of the username is determined by the total number of characters included.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Guest Wireless Users Not Able to Get to NAC Guest Server

  First of all, I appreciate any of the help that can be offered on the post.  Your solutions and suggestions have been valuable, in the past!
  Here's the scenario.  I have two internal WLC's, and one anchor mobility server, in the DMZ.  The internal controllers are part of the 10.x.x.x range, while the DMZ WLC is in the 192.168.1.x range.  We also have a NAC Guest Server, in the DMZ that has a 192.168.1.x address.  Here's the problem, when a guest user uses our guest SSID, they're assigned a 172.16.x.x address, their traffic is intercepted, and they're presented with a login page.  If they don't have login credentials, there's a "Register Here" link that takes them to the NAC Guest Server to self-register.  When they click the "Register Here" link, for some reason they can't get to the NAC guest server.  If I bring up a command prompt, and type in "telnet 192.168.1.x 80", it connects.  The odd thing is that when I was testing, if I login with guest credentials, and then try to go to the NAC Guest Server self-service page, I can get to it with no problem.  Would anyone have any ideas as to why?

  I may have missed something here, but isn't the point of the guest portal that you can't get anywhere on the network (except the guest portal) until you have authenticated?

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• Assigning Smartform in NACE

  hi,
  i've developed a smartform for purchase order i've configured in nace .instead of MEDRUCK i have given the Smartform name as ZPURC  im getting the error as 'ERROR IN OPEN_FORM'.
  what should i do for this where should i configure the smartform.
  thanks and regards,
  siri

  Hi Sirisha,
  Please check ur logic.
  Assigning form in NACE.
  Goto NACE Transaction.
  select EF application and then click on Output types Push button.
  Now select output types NEU or NEUS and double click on Processing routines folder on the left side on the screen.
  Now in Medium Print output remove the form in PDF/Smartform Form  field and assign ur own form name which u have created.
  Best regards,
  raam

• Problem while assigning smartform in NACE

  Hi all,
  I am getting the following error while trying to assign a Z-smartform in NACE transaction. Rewards assured
  <b>Diagnosis</b>
  For output type NEU and transmission medium 8 an entry has been maintained in the table of processing programs, but in this entry no processing program has been specified.
  <b>System Response</b>
  When the output will be processed later on, it cannot be issued.
  <b>Procedure</b>
  Specify at least one processing program and one processing routine in this program.

  Hello Jai,
  I just received the same error while updating our PO. 
  In my case, the problem was that medium "Special function" had an entry line with no program assigned.  This was set up in the original configuration of the system, and since I had only changed the "Print output" entry, I wasn't sure what was causing the message. 
  Since the "Special function" entry was blank, I tested that to see if it was the issue.  Removing that entry did eliminate the message.
  Since the message I received was an informational message, an alternative method to proceed was by simply hitting "Enter" when the message appeared.  I don't see why a blank entry would be required, but since I didn't do the original system configuration, this was the method I chose so as to not change any existing settings other than for the Smartform on which I was working.
  This is an old thread, but I thought I would add this information in case anyone stumbles across it while searching for information about this error (which is how I found the thread.)
  Blaine

• TRANSMISSION MEDIUM AND FORM ROUTINE IN CASE OF NACE TRANSACTION

  While saving a invoice, I have created a routine which will pick an output type when a certain condition is met.
  A custom report (Zprogram) needs to be triggered automatically during this invoice save. So we need to attach this Zprogram to output type.
  Could anybody tell me the transmission medium to be selected and also what needs to be entered in the field Form routine for this program which I have created in the transaction NACE->V3(Billing)->Output types->Processing routines?
  Thanks in advance.

  HI Shah,
  Form routine is nothing but a sub routine in your Z program (Driver Program). Simply one driver program can be used in multiple Layouts by using Form routines. If you are using the driver program only for one layout, then the routine declaration is not necessary.
  Simply select the transmission medium as Print out in case of print. Special function means whether you want trigger this form for only Bill-to-party or Ship-to-party etc.. I hope you need to maintain as SH or BP, check with your functional people once.
  You can check the below link for further customization reference.
  Link: [output type configuration;
  You can check the below link to know the exact meaning for Form routine.
  Link: [https://forums.sdn.sap.com/click.jspa?searchID=13772541&messageID=5319599]
  Regards,
  Raghu..

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov