topic Re:Posture Status for Smartphones - Android - Pending in Network Access Control

Posture Status for Smartphones - Android - Pending

David Boos — Mon, 11 Mar 2019 03:44:37 GMT

I am trying to pass smartphones through our ISE infrastructure. I have Windows working properly, it assigns a certificate, joins to the employee network, installs the NAC client, and requires remediation action.

When an Android phone (haven't tried iOS yet) tries to connect it receives a certificate, is profiled as Android, and then gets stuck in posture status pending.

I have attached a screenshot.

Thanks.

Re:Posture Status for Smartphones - Android - Pending

gschmitt.ngit — Thu, 08 Aug 2013 20:06:05 GMT

Is it being profiled as an android? If yes, create an authz policy to place it on the network with an authz profile that does not redirect to cpp. Place this authz policy above the one for windoze posture assessment.

Sent from Cisco Technical Support Android App

Posture Status for Smartphones - Android - Pending

David Boos — Sat, 10 Aug 2013 02:46:17 GMT

I thought that's what I was doing, here's a screenshot of my authz rules. The android authz rule is 4th one down - above all the windows posture related rules.

Posture Status for Smartphones - Android - Pending

gschmitt.ngit — Sat, 10 Aug 2013 03:05:09 GMT

Check the detailed report on the pan authentication page and confirm what authz profile you are getting. My guess is that you are getting the one for posture assessment because you are not meeting the conditions for your android authz policy. Take a look at the endpoint profile entry and you'll probably find that one of the conditions is not being met.

for sure, you do not need the posture check included in the conditions.

Posture Status for Smartphones - Android - Pending

David Boos — Sat, 10 Aug 2013 03:17:54 GMT

I was thinking - would reducing it to Registered Device (only registered devices would authenticate with 802.1x anyway) and SessionOS equals Android be vague enough to catch it and not allow it to pass?

Endpoint Id	C8:AA:21:02:16:75
Endpoint Profile	Android
IP Address
Identity Store
Identity Group	RegisteredDevices
Audit Session Id	ac1e10450000120e52056988
Authentication Method	dot1x
Authentication Protocol	EAP-TLS

This is how one android device is being profiled - I would guess that would allow it if I opened the rule up more?

Posture Status for Smartphones - Android - Pending

David Boos — Sat, 10 Aug 2013 03:40:25 GMT

Got it - wasn't enough to have sessionOS as Android. Setting endpointpolicy to android seemed to do it.

Posture Status for Smartphones - Android - Pending

andikamulya — Thu, 22 Aug 2013 07:57:07 GMT

Hi David,

How do you create attribute Endpoints:endpointpolicy?

Mine here only available Endpoints:PostureAppicable.

Posture Status for Smartphones - Android - Pending

David Boos — Sat, 24 Aug 2013 15:04:09 GMT

I've attached screenshots. I'm on ISE 1.2.

These are the choices I have.