NAC posture assessment error?

Hi experts
i have a NAC with 4.8.3 IOS installed. Everything works perfect if i am not putting any posture assesment like WSUS or AV check. Ican authenticate successfully and VLAN shifts ok. but if i put any posture assesment rule than NAC windows agent says NAC server is not available at network. And user goes to temporary role.
any suggestions?
Sent from Cisco Technical Support iPhone App

Please check the links for the Configuration and Troubleshoot of NAC
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

Similar Messages

  • NAC not doing posture assessment

    Hello All,
    I am having diffculty with NAC where its not doing posture assessment. I ran through the configuration guide and followed it to the T but still no luck. I am running NAC 4.5(1) for In Band wireless. Any ideas as to what i should be looking at next?
    Thanks,
    G

    What devices etc you using to implement NAC? Are you using ACS Server? or NAC Appliance?
    What mode of NAC are you using? L2 dot1x; L2 IP or L3 IP?
    What authentication are you using? (Take a look at your settings under System Config -> Global Authentication, if using Cisco ACS)
    A lot of issues I have seen with NAC is down to certificates/ca chains on the NAC posture server and the end clients.
    Stu

  • Does Cisco NAC Support Continuous Posture Assessment ?

    Hi all,
    Cisco does not seem to support continuous posture assessment when running out of band or in band ? What I mean is after authentication during authorization phase I ve been assigned to a role and according to that role I receive a posture result, if that posture result is pass then Ive been evaluated as a healthy end point and receive a Certificate. Then the switchport that I am connected to gets assigned to the corporate VLAN. Afterwards till my certificate expires system will always think that I am healthy.
    Ive gone through 4.8 release notes, it still does not seem to be supported ?
    Any comments are appreciated.
    Dumlu

    I think this is mentioned in the release notes; did you check the following section?
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105597
    Regards
    Farrukh

  • Posture Assessment Failed:Hostscan Initialize error in Window 8 x64

    I’m using Windows8 Enterprise x64,while using Cisco AnyConnect mobility client(installed filename is anyconnect-win-3.0.2052-web-deploy-k9.exe), it show error:
    Posture Assessment Failed:Hostscan Initialize error
    this is not being resolved,then I go back to Windows 7. Today I’ve changed the value of the registry as the guide( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnva; changed the value to "Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64"), but it does NOT work yet. I re-installed the client software via the lastest anyconnect-win-3.1.00495-web-deploy-k9.exe, it still show the same error:
    Posture Assessment Failed:Hostscan Initialize error
    So boring it is! I would go back to Windows 7 one more time. Any advise???
    [周四 11月 08 23:06:03.075 20][libcsd][all][csd_init] hello
    [周四 11月 08 23:06:03.075 20][libcsd][all][csd_init] libcsd.dll version 3.0.08062
    [周四 11月 08 23:06:03.075 20][libcsd][debug][hs_transport_init] initialization
    [周四 11月 08 23:06:03.075 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\winhttp.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\winhttp.dll]: 2148204800
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\winhttp.dll]: 2148098064
    [周四 11月 08 23:06:03.107 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\winhttp.dll).
    [周四 11月 08 23:06:03.107 20][libcsd][debug][hs_transport_winhttp_init] failed to initialize winhttp with absolute path
    [周四 11月 08 23:06:03.107 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\kernel32.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\kernel32.dll]: 2148204800
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\kernel32.dll]: 2148098064
    [周四 11月 08 23:06:03.138 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\kernel32.dll).
    [周四 11月 08 23:06:03.138 20][libcsd][error][load_system_lib] Failed to initialize kernel32.dll
    [周四 11月 08 23:06:03.138 20][libcsd][debug][hs_dl_load_no_signature] winhttp.dll has been loaded successfully with no signature verification
    [周四 11月 08 23:06:03.138 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\crypt32.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\crypt32.dll]: 2148204800
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\crypt32.dll]: 2148098064
    [周四 11月 08 23:06:03.169 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\crypt32.dll).
    [周四 11月 08 23:06:03.169 20][libcsd][debug][hs_transport_winhttp_init] failed to initialize crypt32
    [周四 11月 08 23:06:03.169 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\wininet.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\wininet.dll]: 2148204800
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.185 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\wininet.dll]: 2148098064
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\wininet.dll).
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_transport_init] initialization failed
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization done
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization [周四 11月 08 23:06:03.075 20][libcsd][all][csd_init] hello
    [周四 11月 08 23:06:03.075 20][libcsd][all][csd_init] libcsd.dll version 3.0.08062
    [周四 11月 08 23:06:03.075 20][libcsd][debug][hs_transport_init] initialization
    [周四 11月 08 23:06:03.075 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\winhttp.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\winhttp.dll]: 2148204800
    [周四 11月 08 23:06:03.075 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\winhttp.dll]: 2148098064
    [周四 11月 08 23:06:03.107 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\winhttp.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\winhttp.dll).
    [周四 11月 08 23:06:03.107 20][libcsd][debug][hs_transport_winhttp_init] failed to initialize winhttp with absolute path
    [周四 11月 08 23:06:03.107 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\kernel32.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\kernel32.dll]: 2148204800
    [周四 11月 08 23:06:03.107 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\kernel32.dll]: 2148098064
    [周四 11月 08 23:06:03.138 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\kernel32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\kernel32.dll).
    [周四 11月 08 23:06:03.138 20][libcsd][error][load_system_lib] Failed to initialize kernel32.dll
    [周四 11月 08 23:06:03.138 20][libcsd][debug][hs_dl_load_no_signature] winhttp.dll has been loaded successfully with no signature verification
    [周四 11月 08 23:06:03.138 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\crypt32.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\crypt32.dll]: 2148204800
    [周四 11月 08 23:06:03.138 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\crypt32.dll]: 2148098064
    [周四 11月 08 23:06:03.169 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\crypt32.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\crypt32.dll).
    [周四 11月 08 23:06:03.169 20][libcsd][debug][hs_transport_winhttp_init] failed to initialize crypt32
    [周四 11月 08 23:06:03.169 20][libcsd][debug][hs_file_verify_with_killdate] verifying file signature: file = [C:\Windows\system32\wininet.dll], signer = [Microsoft Corporation], type = [1]
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_file] checking signature by file (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_file] unable to verify trust for [C:\Windows\system32\wininet.dll]: 2148204800
    [周四 11月 08 23:06:03.169 20][libcsd][debug][check_signature_by_catalog] checking signature by catalog (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.185 20][libcsd][debug][check_signature_by_catalog] unable to verify trust for [C:\Windows\system32\wininet.dll]: 2148098064
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_file_verify_with_killdate] unable to verify file signature: (C:\Windows\system32\wininet.dll)
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_dl_load] file signature invalid, not loading library (C:\Windows\system32\wininet.dll).
    [周四 11月 08 23:06:03.185 20][libcsd][error][hs_transport_init] initialization failed
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization done
    [周四 11月 08 23:06:03.185 20][libcsd][debug][hs_transport_free] de-initialization

    I've successfully solved this problem by using both web-based SSL-VPN login and latest AnyConnect Secure Mobility Client. After I installed anyconnect-win-3.1.00495-k9, I open the URL of my company's ssl vpn, followed the steps then logged in, thus it calls the client to establish a vpn connection. It successed!
    VPN CONNECTED LIKE THIS:

  • AnyConnect - Posture Assessment Failed: Unable to get the available CSD version....

    Hello all
    I am attempting to get the HostScan posture assessment working so we can check that any device connecting to the ASA is a valid corporate asset.
    I have installed the posture module onto our test client machine (Windows 8.1) using the following software:
    anyconnect-posture-win-4.0.00061-pre-deploy-k9
    Then in ASDM under Remote Access VPN > Host Scan Image I have uploaded the following package:
    disk0:/hostscan_3.1.06073-k9.pkg
    ...and ticked the box 'Enable Host Scan/CSD'.
    Under Remote Access VPN > Secure Desktop Manager I have configured an initial simple Prelogin policy to test it working, this simply just checks that the OS is Windows 8. A success should map this user to a Group Policy I have created that is mapped to a Connection Profile. 
    So, with all that said, when I try to connect I see that the AnyConnect client going through the motions: "Posture Assessment: Checking for updates....", after which I get a pop-up and error message:
    "Posture Assessment Failed: Unable to get the available CSD version from the secure gateway"
    A bit stumped here and haven't quite found much on the web as to how to resolve this.
    Has anyone encountered this before? If so, can you advise on what I can do
    By the way I am connecting using IKEv2 (IPsec) as these are the requirements and the AC version is 4.0.00061, ASA version: 9.2(1).
    Many thanks

    Hello
    Please forgive the shameless bump. Was hoping someone could help?
    Many thanks

  • ISE 1.2 Posture Assessment with AnyConnect Client

    Hi Experts,
    I need clarity for posture assessment with AnyConnect client. I understood that we had traditional NAC agent with ISE 1.1.
    Since new Anyconnect version 4 has come which is used for ISE 1.3 posture assessment however I am not sure if I can use Anyconnect 4 with ISE 1.2 ?  Can you please put light on this ?
    if not , do I need to upgrade to ISE 1.3 ? what is the process to upgrade to ISE 1.3 ?
    Thanks in advance

    ISE can provision clients with agent and configure agent profiles.You have Client-provisioning policies that enable users to download and install resources on client devices.(Windows and Mac OS X NAC Agents, Cisco NAC Web Agent.

  • Cisco ISE inline posture node Posture assessment query

    Hi all,
    i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
    "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
    they are likely to fall into one of the identity groups that already have authenticated and authorized users
    connected to the network.
    For instance, there may be an employee, executive, and guest that have been granted access through the
    outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
    groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
    and authorization uses the existing installed profiles on the Inline Posture node, unless the original
    profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
    with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
    Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
    I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
    Thanks!
    Mario

    I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
    After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
    So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
    If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
    https://communities.cisco.com/docs/DOC-30977
    HTH,
    Ryan

  • AnyConnect Host Scan / Posture Module Errors

    Hi,
    We are running a lab POC for AnyConnect 3.0 in prep for a migration from Cisco VPN Client to AnyConnect [VPN, NAM & Posture] and are having issues with Host Scan.
    Essentially, we want to have AnyConnect / ASA check for a file on the local client machine, and scan for Symantec End Point Protection and ensure that it is running. Upon success of this criteria and successful user authentication, access will be granted, otherwise deny.
    Our client test machines have predeployed AnyConnect client with NAM and the Posture module [installed from the supplied Cisco AnyConnect predeploy ISO .msi's]. We have no requirement for Clientless SSL VPN Access at this stage.
    However, when initiating a VPN connection with Secure Desktop / Host Scan enabled, it fails with the following errors:
    Warning dialogue appears:
    “Posture Assessment Failed: HostScan Prelogin error”
    Ok box is displayed. Click “OK” and then:
    “An error has occurred while running Host Scan. Please attempt to connect again.”
    Also, during the connection process, the following information is displayed in the AnyConnect VPN window:
    “Posture Assessment...Checking For updates [1 – 5 seconds]”
    “Posture Assessment...Initiating [1 -5 seconds]”
    “Posture Assessment...Updating [1 -3 seconds]”
    “Posture Assessment...Initiating [1 – 3 seconds]”
    Then the first two errors appears.
    On the config side - I have done the following:
    1. Enabled Secure Desktop Manager and installed the CSD image [using csd_3.6.181-k9.pkg]
    2. Installed a Host Scan Image [anyconnect-win-3.0.1047-k9.pkg] and enabled it.
    3. Enabled the host scan extensionsin the Secure Desktop Manager Host Scan Settings [Endpoint Assessment ver 3.4.17.1]
    3. Created a Pre-Login policy to check for a text file [named example.dat]
    4. Created a DAP policy to check for the text file again, and to look for personal firewall [Symantec End Point Protection].
    I'm a little stumped as to why this is happening, as I have pretty much deployed this in line with the Anyconnect and ASA config guides.
    Oddly - If I browse to the ASA's URL and log in via weblaunch, I can successfully connect and initiate a VPN with successful host scan and DAP pass, the session is then handed off to the AnyConnect client and everything works nicely. It just doesn't work when using the local AnyConnect pre-deployed client.
    Any one have any ideas or pointers of where I may be going wrong?
    Any help is appreciated!
    Thanks!

    Hi Marcus,
    Thanks for your reply - help is appreciated!
    On the host scan image - The ASA & AnyConnect 3.0 Config Guides specify that a stand alone host scan image OR an anyconnect package can be used for the hostscan image, the ASA will just extract the hostscan software when required from the anyconnct package on demand.
    I have done some further testing, and can confirm that this works fine when using weblaunch..leading me on to my next point...
    I beleive the problem is related to using IPSec as the preferred VPN prortocol...
    IPSec - I have found that when using IPSec [IKEv2] as the local AnyConnect clients primary VPN protocol [rather than SSL - and set in the local VPN profile], I am unable to connect with HostScan / CSD is enabled, AND regardless of whether HostScan / CSD is enabled, I am unable to push software updates or profile updates too when configured in group policy! The VPN connection just fails. If I turn off any of the "client services" related functions such as profile or software updates in the group policy config [and HostScan / CSD is disabled] I can connect fine.
    If I set the local AnyConnect client VPN profile to use SSL as it's preferred VPN protocol, everything works nicely!
    I understand that the local client VPN profile, when set to IPsec as the preferred VPN protocol uses a proprietry EAP authentication method and, that changing this to a "Standards Based" eap method [such as GTC etc] will limit the download capabilities needed.
    What's odd, is that the local profile on our client is set to use IPSec, and the check box to use a Standards based eap method is not checked - yet the behavoir of the client suggests that maybe it's doing this- non of the client services seem to be available? Very odd.
    We are using RADIUS between the ASA and a backend Cisco ACS server with SecureID Tokens as the passcode to auth the users with no cert checking.
    Does anyone have any idea how this proprietry IPSec method works?
    Thanks again,

  • Pre-login posture assessment - possible with ISE?

    Does anyone know if it is possible (or not) to have a windows machine posture assessed on boot? ie. before anyone logs in on it. Currently, I have to log in on my machine before the assessment starts. It would be good to have assessment begin as soon as the machine boots so that (assuming the machine passes assessment) it is completed by the time I log in. We are using the NAC Agent with ISE1.2.
    Thanks in advance for your thoughts.

    As far as i know, the posture agent does not do anything before user has logged in, i have never seen a posture report in ise, that indicates anything else, because you would get many failed posture compliance checks, if it did (checking user keys, user files, av status and so on in machine land).

  • ISE Posture Assessment

    Hi,
    While reading about ISE posture, I got to know that ISE searches” User Agent” attribute for string “NAC Agent” to confirm that NAC agent is present on particular machine.This information is passed to ISE when user opens Web Browser i.e. user gets redirected
    If NAC agent is not present on machine then NAC agent will get downloaded and then Posture assessment starts.
    While testing this on ISE, I noticed that
    If NAC agent is already present on machine then directly posture assessment starts even without opening web browser.
    Now my question is, how ISE does come to know that NAC agent is already present on machine without opening web browser.
    Regards,
    Aditya

    I second Richard on the fact that it can't be done. However, I was going through this and wanted to share in case it helps.
    Default Posture Status
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html#wp1919363
    Jatin Katyal
    - Do rate helpful posts -

  • Guest Posture Assessment for MAC OSX

    Hi
    I need to perform posture assessment for guest users who own MAC OSX machines , but i couldn't find Webagent available for Mac Osx just regular NAC_AGENT for MAC, so i need to know if it's supported ?
    thanx

    Mac OS X Agent need to be used for posture assessment and remediation
    http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_webagt.html#wp1556106

  • Why won't my MacBook Pro backup to Time Machine (on my 1TB Time Capsule) when I'm running Lion OSX 10.7.5.? What does it mean when this error pops up: MacBook Pro.sparse bundle could not be assessed (error - 1).???? Please help me fix this!

    Apparently I am not the only person having this problem as I have seen many threads about it. If ANYONE OUT THERE CAN HELP ME, I WOULD SINCERELY APPRECIATE IT.
    I try and run my backup as I always have, but it HAS NEVER COMPLETED SINCE I UPGRADED TO LION. As many mentions, I updated from 10.7.4 to 10.7.5 hoping that would fix my issue and it didn't help at all. I also unistalled WD SmartWare to no avail. It's really starting to annoy me since I have as much money invested in my MacBook Pro and Time Capsule as I do in my car....
    I have more than enough space on the Time Capsule, but Time Machine is still failing and coming up with an error message: MacBook Pro.sparsebundle could not be assessed (error - 1).
    Someone, anyone, please help!

    . . . sparse bundle could not be accessed (error -1)

  • Simple Web Auth policy and simple posture assessment policy in ISE

    G'day All,
    I've just finished reading through the Cisco BYOD with ISE document and it's left me a little more confused than when I started.
    I completely understand the onboarding process and the different policy elements that make up the self registration/onboarding configuration.
    What I'd like to do is put together an ISE configuration that is a lot simpler for the BYOD user.
    Is anyone able to advise if it is possible to have a single dot1x SSID with ISE that has a policy for Window Laptops using AD authentication for the user and Posture assessment and a policy for all smart devices (iOS and Android) that is just AD authentication of the user, without the need for device registration?
    The target user demographic for my deployment are really not technical so having to go through the onboarding process, especially for the Android devices, with the pre-installation of the cisco app, etc, really isn't what they are looking for.
    Huge thanks for any assistance.
    Cheers,
    JS

    Yes, that's possible. But without "device registration" then you need to configure Wireless 802.1x manually in every Android device.
    Please rate if that helps.

  • ISE post compliant posture assessment URL redirection

    G'day All,
    Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
    I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
    Thanks gang.
    Cheers,
    James.               

    It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
    I think  URL redirection can be done in web authentication if used in case of employee.
    Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
    Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
    Name
    Central_Web_Auth
    Description
    (optional)
    Access-Type
    ACCESS_ACCEPT
    DACL   Name
    CENTRAL_WEB_AUTH
    Centralized   Web Authentication
    ACL:
    ACL-WEBAUTH-REDIRECT
                                                              Redirect : Default
    “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

  • Prerequisite to enable Profiling for posture assessment to check the AV, Patches, OS update

    Hi Experts,
    I have wireless set-up with two SSID , one is used for corporate users with dot1x auth and other one for guest using CWA .
    I understood that , i do not need to buy any license or pay to cisco for Wireless license however i want to understand for enabling profiling for posture assessment .
    I understood that I need have advance license for posture assessment however I am looking out for information about costing to buy advance license and is there any prereuisite to configure posture assessment other than additional license?

    There were a few changes in ISE v1.3:
    - Base License = The same
    - Plus License = The same (with some more features)
    - Advanced License = Apex
    - Wireless = Mobility (Now it includes VPN based authentications as well)
    So your plan is to run the new version of ISE (1.3) and AnyConnect 4 then you will need to have:
     - ISE Mobility License (Includes Base, Plus and Apex for wireless and VPN)
     - AnyConnect APEX license - This one is on the honer system and it is not installed on ISE
    If you plan to use posture on wired as well then instead of the "mobility" license you will need to get:
     - ISE Base
     - ISE Plus
     - ISE Apex
     - AnyConnect Apex
    Thank you for rating helpful posts!

Maybe you are looking for

  • After IOS 8 update,all the Deleted Pictures can be seen in instagram when uploading.

    I recently updated my Iphone 5S to the latest update of IOS 8. After the update , when i am uploading a picture in instagram, I can see that all the photos including the ones which i have deleted earlier can be seen in it, but it is not shown in the

  • Itunes wont open on my computer and wont come up when I plug in my Iphone

    Went to use Itunes this morning when I pluged in my Iphone, itunes did come up but was not syncing to my Iphone, so I exited out of it and clicked to open it from desktop but nothing would come up.  I uninstalled it and then reinstalled it but still

  • I edited my Drop Down Menu, yet the changes arent reflected online

    Hi everyone, I created a website for a friend, and I used Drop Down Menus for a image category. Now, I went back into the behaviors palette in DW, and I edited the name of one of the items in the menu. But when i uploaded my file back online, none of

  • Old skype number

    Hi there my old skype number has ran out. Would it be possible to get it back or would it have been given to someone else now? Many thanks!

  • "Do Not Disconnect Screen" is monochrome

    I thought it was supposed to be Colored and the SYmbol is red but now its Black and White, and when i turn it on for like a fraction of a second it has the folder with an exclamation point and says www.apple.com/support/ipod