topic ISE - posture fails in Network Access Control

ISE - posture fails

kpanduric — Mon, 11 Mar 2019 03:02:07 GMT

Hello,

I have a problem at the posture checking phase. NAC agent fails to check for posture compliance and remediation never takes place. The client browser is beeing redirected to the following URL: https://ise.xxxx.yy:8443/guestportal/gateway?sessionId=AC16FA49000000778BF9058D&action=cpp, and then to https://ise.xxxx.yy:8443/auth/provisioning/evaluate (shown below)

Obviously there is a problem on ISE box, missing something. What could be the cause of the problem?

Best regards,

Kreso

ISE - posture fails

vikasyad — Tue, 14 May 2013 23:20:59 GMT

Please review the below link which might be helpful:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html

ISE - posture fails

kpanduric — Fri, 17 May 2013 08:56:04 GMT

Hello Vikas,

thank you for the hint.

I have followed the procedure several times but still have the issue.

The TAC case has been opened and for two months I have received only few replies. The problem could be in the certificate issued by the local CA on the AD domain, but as I have not received neither solution nor workaround I can't move forward.

Regards,

ISE - posture fails

Najeeb Mohammad — Thu, 04 Jul 2013 07:39:25 GMT

hi kreso,

Have you got solution from TAC. I also face same issue.

ISE - posture fails

pankaj29in — Thu, 04 Jul 2013 07:59:18 GMT

Hi,

Try using self signed certificate that will clear the picture.

Regards
Pankaj

ISE - posture fails

kpanduric — Thu, 04 Jul 2013 10:15:36 GMT

Hi Mohammed,

as the TAC engineer and developer said, the problem is in the CA root certificate that was imported in DER format.

Try exporting the root CA certificate (not the one issued to the ISE node by the CA, but the one that is in the Certificate Store), convert it from PKCS#7,DER to X509,PEM format, delete the old CA root cert and import the one you just got as a result of conversion.

You will need some Linux/UNIX box with OpenSSL tools installed. Suppose you exported the original cert to file named cert1.pem, when you try to read it using the following command, you get an error:

# openssl x509 -in cert1.pem -inform DER -text

unable to load certificate

following some ASN error messages. To convert it use the following command:

openssl pkcs7 -inform der -in cert1.pem -print_certs > cert2.pem

Now you can read cert data using the command:

openssl x509 -inform pem -in cert2.pem -noout -text

The file cert2.pem is the one that should be imported as a root CA certificate into the Certificate Store on ISE.

HTH,

Kreso

Re: ISE - posture fails

Najeeb Mohammad — Thu, 04 Jul 2013 15:22:04 GMT

Hi Kreso,

Thanks for your valuable input, problem got solved now. Instead of using openssl we re issued the CA certificate from the local CA and uploaded to ISE ceritification store. The issue was with the old CA certificate.

Thanks alot.

Regards

Najeeb

Re: ISE - posture fails

Najeeb Mohammad — Thu, 04 Jul 2013 15:23:15 GMT

Hi Pankaj,

The problem got solved, it was the issue of CA Certificate . Thanks for your quick response.

Regards

Najeeb

ISE - posture fails

manjeets — Thu, 22 Aug 2013 14:30:03 GMT

You can use below link for future perspective :

https://techzone.cisco.com/t5/Identity-Services-Engine-ISE/Posture-Services-on-the-Cisco-ISE-Configuration-Guide/ta-p/221702