Guys,

I Have the same problem here, and my rule is witch Posture status EQUAL complaint.

Can help me?

Rafael,

Can you please post a screenshot of your authorization policies?

Thanks,

Tarik Admani
*Please rate helpful posts*

Peter, is wired authetication.

Screen shot of the authorization rules http://uploaddeimagens.com.br/imagens/auth-jpg

Can you please post a screenshot of your settings for the authorization result for non compliant users, also do you have your client provisioning and posture policies configured?

Client provisioning - Is the profile that pushes out the client

Posture policies - Determines which rules that the clients must meet for posturing

Are you redirected and assigned to the proper vlan?

Also can you post a screenshot of the endpoint attribute for your test client (does the posture applicable field appear and is it set to "NO").

Thanks,

Tarik Admani
*Please rate helpful posts*

Hello Tarik,

Result NonCompliant: http://uploaddeimagens.com.br/imagens/result_noncompliant-jpg

Posture rule: http://uploaddeimagens.com.br/imagens/posture_rule-jpg

The client provisioning is set to force NAC Agent version 4.9.0.47

Yes, the vlan is correct.

The major problem is the NotApplicable ststus in the posture log, the ISE is not applying the posture, some times works fine, some times dont work and appear the NotApplicable in the log.

Rafael,

It looks like you are using chrome to manage your ISE (please do not use Chrome, it messes up your policies) please use mozilla so that I can get a better idea of what your remediation settings are set to. You may have to go back in and fix this.

Also you will need to turn on the web portal for posture discovery and all the remediation acl and redirection acls will have to be in order for this to work.

Thanks,

Tarik Admani
*Please rate helpful posts*

I am also having the same problem since upgrading to 1.1.3.  Posturing seems to work fine when the Client is wired, but it never works on wireless.

Same problem here,

Let's admit that ISE is having serious issues with Ethernet Switches for Downloadable ACL, redirection URL and so forth.

I have been posting here for a While on that subject.

This product is not mature enough and need to much expertise depending on your Cat IOS, 12.2 for 3750 are unstable.

Sometime, I get connected, Agent OK, but the Windows says "connection failed".

Strange behaviour no ?

And you know what ?

ISE log shows everything OK !!!

Please Cisco work on that, and RELASE STABLE SOFTWARE AS YOU USED TO DO !

I WON T RECOMMEND ISE AT ALL TO MY CUSTOMERS !!!!!!!!

V.

Can anyone provide some screenshots for this issue? I am curious to  see how the policies are configured in the authorization policies. Also  are there any TAC cases opened to address any of these concerns just to  have a second set of eyes to rule out the configs?

Also if you are running in a distributed deployment can you try to perform a full syncup (requires services to restart) to see if this fixes the issue?

Tarik Admani
*Please rate helpful posts*

Hello Tarik, thanks for trying to help !

I guess that we all have configured the Sw and ISE as described in the documentation.

It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.

How to configure dACL on ISE ? ( pre-posture, redirect ) ????

What are the ports ? ( 8443, 8905n any ?)

Do we need a ACL to be set in the Sw before the dACL is applied ???

Please answer those questions first, and we will provide you some logs.

I'am not able to have a stable behaviour any more.

Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)

We waste of lot of time trying not to debug the software, but trying to find which parts work together.

Thanks again Tarik.

vrz rrr,

There is a standard switch configuration.  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html