Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ISE trying to posture a device that should not be able to be postured

Overview:

Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.

Mobile device authorisation policy configured:

Authz.PNG

Problem:

A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.

notapplicable.PNG

Troubleshooting:

I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".

I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.

Have any of you guys experienced this before?

Everyone's tags (1)
2 REPLIES
Cisco Employee

Cisco ISE trying to posture a device that should not be able to

Having a quick look I did find there were scenarios found in which

EndPoints:PostureApplicable attribute was set to null it was found in beta-testing of 1.2.

That could explain why some of the devices started working after a few tries.

Do you mind opening a TAC case and/or trying 1.2 release (if you have a testing ISE set up).

M.

Cisco ISE trying to posture a device that should not be able to

Hi,

I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.

I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
508
Views
0
Helpful
2
Replies
CreatePlease to create content