https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248837#M160518 <HTML><HEAD></HEAD><BODY><P> one thing i have noticed is that this particular laptop is not being profiled correctly. Its endpoint group is "Unknown" whereas a majority of all our Windows machines get profiled properly as "WorkStation".</P><P></P><P>I have compared the RADIUS output on the ISE for a working laptop and this not working laptop and there is no difference in terms of the attributes listed in the output.</P><P></P><P>I understand that in order to hit the built in profiling rule for windows 7, the User Agent Attribute must contain "Windows NT 6.1".</P><P></P><P>How can I find out on my windows machine what is contained in the attribute? can the NAC agent help provide me with this information? or the Windows registry perhaps?</P><P></P><P>thanks</P><P></P><P>Mario</P></BODY></HTML> Mon, 29 Apr 2013 15:05:29 GMT marioderosa2008 2013-04-29T15:05:29Z https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248835#M160513 <P>Hi all,</P><P></P><P>I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.</P><P></P><P>We have 2 mandatory posture requirements,</P><P></P><P>1. Symantec Av MUST be installed</P><P>2. the AV definitions MUST be LESS THAN 28 days out of date</P><P></P><P>Currently, the machine I have is showing the AV defs as being 25th March 2013.</P><P></P><P>When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!</P><P></P><P>Is there anything else I can check on the ISE to help debug this?</P><P></P><P>Mario&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 03:22:16 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248835#M160513 marioderosa2008 2019-03-11T03:22:16Z https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248836#M160516 <HTML><HEAD></HEAD><BODY><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Attached are exports of the authenticvation session pre-posture &amp; post-posture &amp; also the full posture report from the Cisco ISE.</P></BODY></HTML> Mon, 29 Apr 2013 14:06:44 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248836#M160516 marioderosa2008 2013-04-29T14:06:44Z https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248837#M160518 <HTML><HEAD></HEAD><BODY><P> one thing i have noticed is that this particular laptop is not being profiled correctly. Its endpoint group is "Unknown" whereas a majority of all our Windows machines get profiled properly as "WorkStation".</P><P></P><P>I have compared the RADIUS output on the ISE for a working laptop and this not working laptop and there is no difference in terms of the attributes listed in the output.</P><P></P><P>I understand that in order to hit the built in profiling rule for windows 7, the User Agent Attribute must contain "Windows NT 6.1".</P><P></P><P>How can I find out on my windows machine what is contained in the attribute? can the NAC agent help provide me with this information? or the Windows registry perhaps?</P><P></P><P>thanks</P><P></P><P>Mario</P></BODY></HTML> Mon, 29 Apr 2013 15:05:29 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248837#M160518 marioderosa2008 2013-04-29T15:05:29Z https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248838#M160520 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You might have two problems: </P><P></P><P>1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and <SPAN style="text-decoration: underline;">you don't have a provisioning rule for that client or you simply don't have client provisioning rules</SPAN>, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.</P><P></P><P>2. NAC Agent version problem? <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN> </P><P>I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51. </P><P></P><P>Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.</P><P></P><P>Check</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131" rel="nofollow">http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131</A></P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><H3> Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) </H3><P></P><A name="wp78132"></A><P> Cisco supports different versions of the NAC Agent for integration with&nbsp; NAC Appliance and ISE. Current releases are developed to work in either&nbsp; environment, however, interoperability between deployments is not&nbsp; guaranteed. Therefore, there is no explicit interoperability support for&nbsp; a given NAC Agent version intended for one environment that will&nbsp; necessarily work in the other. If you require support for both NAC&nbsp; Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in&nbsp; your specific environment to verify compatibility. </P><P></P><A name="wp78133"></A><P> Unless there is a specific defect or feature required for your NAC&nbsp; Appliance deployment, Cisco recommends deploying the most current agent&nbsp; certified for your ISE deployment. If an issue arises, Cisco recommends&nbsp; restricting the NAC Agent's use to its intended environment and&nbsp; contacting Cisco TAC for assistance. Cisco will be addressing this issue&nbsp; through the standard Cisco TAC support escalation process, but NAC&nbsp; Agent interoperability is not guaranteed. </P><P></P><A name="wp78134"></A><P> Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release. </P></PRE></BODY></HTML> Tue, 30 Apr 2013 13:06:03 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248838#M160520 Octavian Szolga 2013-04-30T13:06:03Z https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248839#M160523 <HTML><HEAD></HEAD><BODY><P> Thanks mate!!</P><P></P><P>I think the NAC agent version is the issue. I wonder why that is why our NAC agent customisation packages aren't working too!!</P></BODY></HTML> Tue, 30 Apr 2013 22:20:58 GMT https://community.cisco.com/t5/network-access-control/posture-assessment-passed-in-error-using-cisco-ise/m-p/2248839#M160523 marioderosa2008 2013-04-30T22:20:58Z