03-07-2012 07:42 AM - edited 03-10-2019 06:53 PM
Hi,
I configured WiFi Guest Access with WLC and ISE and it works great.
Now I want to check client posture.
I configured a posture policy
On Windows7 client, I installed NAC client. With network sniffer, I can see SWISS protocol (TCP 8905) between client and ISE.
In authentications log, Posture Status is always "NotApplicable"
Why is this posture not applicable?
Thanks a lot!
Patrick
03-11-2012 04:25 AM
You will need to check your authorization profile to make sure it has an action to check "session" "posture" EQUAL "complaint"
12-14-2012 10:32 AM
Guys,
I Have the same problem here, and my rule is witch Posture status EQUAL complaint.
Can help me?
12-14-2012 10:29 PM
Rafael,
Can you please post a screenshot of your authorization policies?
Thanks,
Tarik Admani
*Please rate helpful posts*
12-15-2012 12:59 PM
What is the Preauthentication ACL (ACL-POSTURE-REDIRECT) on the WLC?
12-17-2012 05:04 AM
Peter, is wired authetication.
Screen shot of the authorization rules http://uploaddeimagens.com.br/imagens/auth-jpg
12-17-2012 08:18 AM
Can you please post a screenshot of your settings for the authorization result for non compliant users, also do you have your client provisioning and posture policies configured?
Client provisioning - Is the profile that pushes out the client
Posture policies - Determines which rules that the clients must meet for posturing
Are you redirected and assigned to the proper vlan?
Also can you post a screenshot of the endpoint attribute for your test client (does the posture applicable field appear and is it set to "NO").
Thanks,
Tarik Admani
*Please rate helpful posts*
12-17-2012 09:02 AM
Hello Tarik,
Result NonCompliant: http://uploaddeimagens.com.br/imagens/result_noncompliant-jpg
Posture rule: http://uploaddeimagens.com.br/imagens/posture_rule-jpg
The client provisioning is set to force NAC Agent version 4.9.0.47
Yes, the vlan is correct.
The major problem is the NotApplicable ststus in the posture log, the ISE is not applying the posture, some times works fine, some times dont work and appear the NotApplicable in the log.
12-17-2012 09:32 AM
Rafael,
It looks like you are using chrome to manage your ISE (please do not use Chrome, it messes up your policies) please use mozilla so that I can get a better idea of what your remediation settings are set to. You may have to go back in and fix this.
Also you will need to turn on the web portal for posture discovery and all the remediation acl and redirection acls will have to be in order for this to work.
Thanks,
Tarik Admani
*Please rate helpful posts*
03-22-2013 08:45 AM
I have a similar problem. I am running 1.1.3. The strange thing is that it was working a week ago. The client is not hitting the appropriate authorization profile and is being denied access because the clients posture status is Not Applicable. The agent does not pop up, it just sits there idle. Strange enough it worked fine on the wire.
The ACL allows the hosts to talk on all ports to the PSNs. The discovery host is configured, and sometimes the host says it is "logged in" even though it is not logged in. Maybe this has to do with earlier wired connections.
Is there something I am missing in the client provisioning, or is there a bug?
04-02-2013 12:54 PM
I am also having the same problem since upgrading to 1.1.3. Posturing seems to work fine when the Client is wired, but it never works on wireless.
04-02-2013 01:47 PM
Same problem here,
Let's admit that ISE is having serious issues with Ethernet Switches for Downloadable ACL, redirection URL and so forth.
I have been posting here for a While on that subject.
This product is not mature enough and need to much expertise depending on your Cat IOS, 12.2 for 3750 are unstable.
Sometime, I get connected, Agent OK, but the Windows says "connection failed".
Strange behaviour no ?
And you know what ?
ISE log shows everything OK !!!
Please Cisco work on that, and RELASE STABLE SOFTWARE AS YOU USED TO DO !
I WON T RECOMMEND ISE AT ALL TO MY CUSTOMERS !!!!!!!!
V.
04-02-2013 04:44 PM
Can anyone provide some screenshots for this issue? I am curious to see how the policies are configured in the authorization policies. Also are there any TAC cases opened to address any of these concerns just to have a second set of eyes to rule out the configs?
Also if you are running in a distributed deployment can you try to perform a full syncup (requires services to restart) to see if this fixes the issue?
Tarik Admani
*Please rate helpful posts*
04-03-2013 12:11 AM
Hello Tarik, thanks for trying to help !
I guess that we all have configured the Sw and ISE as described in the documentation.
It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.
How to configure dACL on ISE ? ( pre-posture, redirect ) ????
What are the ports ? ( 8443, 8905n any ?)
Do we need a ACL to be set in the Sw before the dACL is applied ???
Please answer those questions first, and we will provide you some logs.
I'am not able to have a stable behaviour any more.
Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)
We waste of lot of time trying not to debug the software, but trying to find which parts work together.
Thanks again Tarik.
04-03-2013 06:23 AM
vrz rrr,
There is a standard switch configuration. http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: