Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[ISE] Posture Status - Not applicable

Hi,

I configured WiFi Guest Access with WLC and ISE and it works great.

Now I want to check client posture.

I configured a posture policy

posture_policy.PNG

On Windows7 client, I installed NAC client. With network sniffer, I can see SWISS protocol (TCP 8905) between client and ISE.

In authentications log, Posture Status is always "NotApplicable"

posture_not_applicable.PNG

Why is this posture not applicable?

Thanks a lot!

Patrick

19 REPLIES
New Member

[ISE] Posture Status - Not applicable

You will need to check your authorization profile to make sure it has an action to check "session" "posture" EQUAL "complaint"

New Member

[ISE] Posture Status - Not applicable

Guys,

I Have the same problem here, and my rule is witch Posture status EQUAL complaint.

Can help me?

[ISE] Posture Status - Not applicable

Rafael,

Can you please post a screenshot of your authorization policies?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Silver

[ISE] Posture Status - Not applicable

What is the Preauthentication ACL (ACL-POSTURE-REDIRECT) on the WLC?

New Member

[ISE] Posture Status - Not applicable

Peter, is wired authetication.

Screen shot of the authorization rules http://uploaddeimagens.com.br/imagens/auth-jpg


[ISE] Posture Status - Not applicable

Can you please post a screenshot of your settings for the authorization result for non compliant users, also do you have your client provisioning and posture policies configured?

Client provisioning - Is the profile that pushes out the client

Posture policies - Determines which rules that the clients must meet for posturing

Are you redirected and assigned to the proper vlan?

Also can you post a screenshot of the endpoint attribute for your test client (does the posture applicable field appear and is it set to "NO").

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

[ISE] Posture Status - Not applicable

Hello Tarik,

Result NonCompliant: http://uploaddeimagens.com.br/imagens/result_noncompliant-jpg

Posture rule: http://uploaddeimagens.com.br/imagens/posture_rule-jpg

The client provisioning is set to force NAC Agent version 4.9.0.47

Yes, the vlan is correct.

The major problem is the NotApplicable ststus in the posture log, the ISE is not applying the posture, some times works fine, some times dont work and appear the NotApplicable in the log.


[ISE] Posture Status - Not applicable

Rafael,

It looks like you are using chrome to manage your ISE (please do not use Chrome, it messes up your policies) please use mozilla so that I can get a better idea of what your remediation settings are set to. You may have to go back in and fix this.

Also you will need to turn on the web portal for posture discovery and all the remediation acl and redirection acls will have to be in order for this to work.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: [ISE] Posture Status - Not applicable

I have a similar problem.   I am running 1.1.3.  The strange thing is that it was working a week ago.  The client is not hitting the appropriate authorization profile and is being denied access because the clients posture status is Not Applicable.  The agent does not pop up, it just sits there idle.  Strange enough it worked fine on the wire.

The ACL allows the hosts to talk on all ports to the PSNs.  The discovery host is configured, and sometimes the host says it is "logged in" even though it is not logged in.  Maybe this has to do with earlier wired connections.

Is there something I am missing in the client provisioning, or is there a bug?

New Member

[ISE] Posture Status - Not applicable

I am also having the same problem since upgrading to 1.1.3.  Posturing seems to work fine when the Client is wired, but it never works on wireless.

New Member

[ISE] Posture Status - Not applicable

Same problem here,

Let's admit that ISE is having serious issues with Ethernet Switches for Downloadable ACL, redirection URL and so forth.

I have been posting here for a While on that subject.

This product is not mature enough and need to much expertise depending on your Cat IOS, 12.2 for 3750 are unstable.

Sometime, I get connected, Agent OK, but the Windows says "connection failed".

Strange behaviour no ?

And you know what ?

ISE log shows everything OK !!!

Please Cisco work on that, and RELASE STABLE SOFTWARE AS YOU USED TO DO !

I WON T RECOMMEND ISE AT ALL TO MY CUSTOMERS !!!!!!!!

V.

[ISE] Posture Status - Not applicable

Can anyone provide some screenshots for this issue? I am curious to  see how the policies are configured in the authorization policies. Also  are there any TAC cases opened to address any of these concerns just to  have a second set of eyes to rule out the configs?

Also if you are running in a distributed deployment can you try to perform a full syncup (requires services to restart) to see if this fixes the issue?

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

[ISE] Posture Status - Not applicable

Hello Tarik, thanks for trying to help !

I guess that we all have configured the Sw and ISE as described in the documentation.

It would be kind to give us a standard Sw config that works. In my opinion, dACL is the point to be clarified urgently.

How to configure dACL on ISE ? ( pre-posture, redirect ) ????

What are the ports ? ( 8443, 8905n any ?)

Do we need a ACL to be set in the Sw before the dACL is applied ???

Please answer those questions first, and we will provide you some logs.

I'am not able to have a stable behaviour any more.

Lastest tested IOS : c3750-ipbasek9-mz.122-52.SE.bin (compatibility matrix on Cisco Website)

We waste of lot of time trying not to debug the software, but trying to find which parts work together.

Thanks again Tarik.

New Member

[ISE] Posture Status - Not applicable

vrz rrr,

There is a standard switch configuration.  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html

New Member

[ISE] Posture Status - Not applicable

kylerossd,

does not work. Thoses confs are not good.

V.

New Member

Re: [ISE] Posture Status - Not applicable

I resolved my issue. I created a client agent profile and assigned agent version in client provisioning. Even though i didn't hAve to it seemed to help. It also appears that Symantec endpoint 11 causes issues, if you clean list the nac agent folder in Symantec endpoint protection the agent loads MUCH faster.

Sent from Cisco Technical Support iPhone App

New Member

[ISE] Posture Status - Not applicable

I recommend you to first Verify/Create posture requirements

Policy > Policy Elements > Results > Posture > Requirements

The conditions are defined in the following location: Policy > Policy  Elements > Conditions > Posture.

You also need to open these ports for the same

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture  communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture  communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture   communication between NAC agent and ISE (Swiss ports)

New Member

[ISE] Posture Status - Not applicable

Hi Bhaskar,

that's a good point.

Now could you please give us the right posture ACL to be downloaded to the Switch (or set on a WLC). I think that some procotols are missing....

Regards.

V.

New Member

Re: [ISE] Posture Status - Not applicable

Here are some ports which needs to be open please use these

permit tcp any host 80.0.80.2 eq 443 (This is for URL redirect)

permit tcp any host 80.0.80.2 eq www

permit udp any host 80.0.80.2 eq 8905 (This is for posture communication between NAC agent and ISE (Swiss ports))

permit udp any host 80.0.80.2 eq 8906 ( This is for posture communication between NAC agent and ISE (Swiss ports))

permit tcp any host 80.0.80.2 eq 8443 (This is for guest portal port)

permit tcp any host 80.0.80.2 eq 8905 (This is for posture communication between NAC agent and ISE (Swiss ports))

deny ip any any

3228
Views
35
Helpful
19
Replies
CreatePlease login to create content