Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
2
Replies

Cisco ISE trying to posture a device that should not be able to be postured

nomadicwifi
Level 1
Level 1

‎07-29-2013 02:37 AM - edited ‎03-10-2019 08:42 PM

Overview:

Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing.

Mobile device authorisation policy configured:

Authz.PNG

Problem:

A few days later, mobile devices doesn't seem to end up in the policy that has EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies  mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.

notapplicable.PNG

Troubleshooting:

I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".

I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.

Have any of you guys experienced this before?

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-29-2013 04:34 AM

Having a quick look I did find there were scenarios found in which

EndPoints:PostureApplicable attribute was set to null it was found in beta-testing of 1.2.

That could explain why some of the devices started working after a few tries.

Do you mind opening a TAC case and/or trying 1.2 release (if you have a testing ISE set up).

M.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎07-29-2013 07:41 AM

Hi,

I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.

I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents