https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316515#M111383 <P><STRONG style="text-decoration: underline; ">Overview:</STRONG></P><P>Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition <SPAN style="font-size: 10pt;">EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing. </SPAN></P><P></P><P>Mobile device authorisation policy configured:</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/2/1/148126-Authz.PNG" alt="Authz.PNG" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P><STRONG style="text-decoration: underline; ">Problem:</STRONG></P><P>A few days later, mobile devices doesn't seem to end up in the policy that has <SPAN style="font-size: 10pt;">EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies&nbsp; mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.</SPAN></P><P><SPAN style="font-size: 10pt;"><IMG src="https://community.cisco.com/legacyfs/online/legacy/4/2/1/148124-notapplicable.PNG" alt="notapplicable.PNG" class="jive-image" /><BR /></SPAN></P><P></P><P><STRONG style="text-decoration: underline; ">Troubleshooting:</STRONG></P><P>I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".</P><P>I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.</P><P></P><P>Have any of you guys experienced this before?</P> Mon, 11 Mar 2019 03:42:01 GMT nomadicwifi 2019-03-11T03:42:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316515#M111383 <P><STRONG style="text-decoration: underline; ">Overview:</STRONG></P><P>Cisco ISE version 1.1.4. Windows PC will be postured using Web NAC agent. Mobile devices (Apple/Android) can't be postured and will be exempted from posturing. Mobile devices will be exempted using the condition <SPAN style="font-size: 10pt;">EndPoints:PostureApplicable EQUALS No. This worked fine and mobile devices will be caught by this condition while Windows device will be caught by another that sends to posturing. </SPAN></P><P></P><P>Mobile device authorisation policy configured:</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/2/1/148126-Authz.PNG" alt="Authz.PNG" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P><STRONG style="text-decoration: underline; ">Problem:</STRONG></P><P>A few days later, mobile devices doesn't seem to end up in the policy that has <SPAN style="font-size: 10pt;">EndPoints:PostureApplicable EQUALS No. After having a look at monitoring, Cisco ISE is classifies&nbsp; mobile devices as Posturable. The Posture Status previously was "NotApplicable" now shows up as "Pending". See below.</SPAN></P><P><SPAN style="font-size: 10pt;"><IMG src="https://community.cisco.com/legacyfs/online/legacy/4/2/1/148124-notapplicable.PNG" alt="notapplicable.PNG" class="jive-image" /><BR /></SPAN></P><P></P><P><STRONG style="text-decoration: underline; ">Troubleshooting:</STRONG></P><P>I tried a total of 4 different mobile devices. 2 Apple and 2 Android. All of them have the Posture Status of "Pending". Interestingly after a few tries, both the Androids starting working and have the PostureStatus of "NotApplicable", no configuration changes were made. The 2 Apple device still doesn't work and show up as "Pending".</P><P>I have restarted ISE, Access Point and Apple device. I have also tried other Apple device. All with the same problem.</P><P></P><P>Have any of you guys experienced this before?</P> Mon, 11 Mar 2019 03:42:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316515#M111383 nomadicwifi 2019-03-11T03:42:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316516#M111393 <HTML><HEAD></HEAD><BODY><P>Having a quick look I did find there were scenarios found in which </P><P>EndPoints:PostureApplicable attribute was set to null it was found in beta-testing of 1.2. </P><P>That could explain why some of the devices started working after a few tries. </P><P></P><P>Do you mind opening a TAC case and/or trying 1.2 release (if you have a testing ISE set up).</P><P></P><P>M.</P></BODY></HTML> Mon, 29 Jul 2013 11:34:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316516#M111393 Marcin Latosiewicz 2013-07-29T11:34:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316517#M111406 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have also experienced the same issues as yourself and would recommend opening a tac case. However I have used the device registration web portal to redirect all previous detected mobile devices to accept the aup and have them statically assigned to an endpoint group so they do not hit this scenario.</P><P></P><P>I know it is a workaround but its the only way i could get this to work and not affect devices that were one time detected as such.</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Mon, 29 Jul 2013 14:41:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-trying-to-posture-a-device-that-should-not-be-able-to/m-p/2316517#M111406 Tarik Admani 2013-07-29T14:41:36Z