Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Posture Status for Smartphones - Android - Pending

I am trying to pass smartphones through our ISE infrastructure.  I have Windows working properly, it assigns a certificate, joins to the employee network, installs the NAC client, and requires remediation action.

When an Android phone (haven't tried iOS yet) tries to connect it receives a certificate, is profiled as Android, and then gets stuck in posture status pending.

I have attached a screenshot.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Posture Status for Smartphones - Android - Pending

Check the detailed report on the pan authentication page and confirm what authz profile you are getting. My guess is that you are getting the one for posture assessment because you are not meeting the conditions for your android authz policy. Take a look at the endpoint profile entry and you'll probably find that one of the conditions is not being met.

for sure, you do not need the posture check included in the conditions.

7 REPLIES
New Member

Re:Posture Status for Smartphones - Android - Pending

Is it being profiled as an android? If yes, create an authz policy to place it on the network with an authz profile that does not redirect to cpp. Place this authz policy above the one for windoze posture assessment.


Sent from Cisco Technical Support Android App

New Member

Posture Status for Smartphones - Android - Pending

I thought that's what I was doing, here's a screenshot of my authz rules.  The android authz rule is 4th one down - above all the windows posture related rules.

New Member

Posture Status for Smartphones - Android - Pending

Check the detailed report on the pan authentication page and confirm what authz profile you are getting. My guess is that you are getting the one for posture assessment because you are not meeting the conditions for your android authz policy. Take a look at the endpoint profile entry and you'll probably find that one of the conditions is not being met.

for sure, you do not need the posture check included in the conditions.

New Member

Posture Status for Smartphones - Android - Pending

I was thinking - would reducing it to Registered Device (only registered devices would authenticate with 802.1x anyway) and SessionOS equals Android be vague enough to catch it and not allow it to pass?

Endpoint IdC8:AA:21:02:16:75
Endpoint ProfileAndroid
IP Address
Identity Store
Identity GroupRegisteredDevices
Audit Session Idac1e10450000120e52056988
Authentication Methoddot1x
Authentication ProtocolEAP-TLS

This is how one android device is being profiled - I would guess that would allow it if I opened the rule up more?

New Member

Posture Status for Smartphones - Android - Pending

Got it - wasn't enough to have sessionOS as Android.  Setting endpointpolicy to android seemed to do it.

New Member

Posture Status for Smartphones - Android - Pending

Hi David,

How do you create attribute Endpoints:endpointpolicy?

Mine here only available Endpoints:PostureAppicable.

New Member

Posture Status for Smartphones - Android - Pending

I've attached screenshots. I'm on ISE 1.2.

These are the choices I have.

653
Views
10
Helpful
7
Replies