https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517069#M496325 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>thank you for the quick reply. </P><P></P><P>Yes, my problem is with the low % level of the total complaint endpoints on my dashboard, its doesnt make sense to me that it should count devices that are not posture applicable in that gauge, and I assumed that this what the default compliance setting is for.</P><P></P><P>and I’m aware of the different posture states, but this is different because those endpoints are not even posture applicable so it shouldnt apply to them. </P><P></P><P>thank you,</P><P>snir</P></BODY></HTML> Tue, 10 Jul 2018 18:44:24 GMT snir_orlanczyk 2018-07-10T18:44:24Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517067#M496323 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>the % of postured devices in my network shows at around 49% even though the all of the netwrok devices that are required for postured are passing the posture check.</P><P></P><P>i started looking it up and noticed that every device that is not posture capable is in the "unknown" state. i've also made sure that my deafult compliance state is "compliant"</P><P></P><P>Thank you for the help</P></BODY></HTML> Tue, 10 Jul 2018 12:31:08 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517067#M496323 snir_orlanczyk 2018-07-10T12:31:08Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517068#M496324 <HTML><HEAD></HEAD><BODY><P>Is your question why the % of Compliant end points are low? If yes, it clearly depends on the end point &amp; the end point could be in one of the following posture status:</P><P><SPAN style="font-size: 13.3333px;"><BR /></SPAN><SPAN style="font-size: 13.3333px;">Unknown: No data was collected in order to determine posture state.</SPAN></P><P><SPAN style="font-size: 13.3333px;">Noncompliant: A posture assessment was performed, and one or more requirements failed.</SPAN></P><P><SPAN style="font-size: 13.3333px;">Compliant: The endpoint is compliant with all mandatory requirements.</SPAN></P><P><SPAN style="font-size: 13.3333px;"><BR /></SPAN></P><P><SPAN style="font-size: 13.3333px;">- Krish<BR /></SPAN></P></BODY></HTML> Tue, 10 Jul 2018 17:52:28 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517068#M496324 kvenkata1 2018-07-10T17:52:28Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517069#M496325 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>thank you for the quick reply. </P><P></P><P>Yes, my problem is with the low % level of the total complaint endpoints on my dashboard, its doesnt make sense to me that it should count devices that are not posture applicable in that gauge, and I assumed that this what the default compliance setting is for.</P><P></P><P>and I’m aware of the different posture states, but this is different because those endpoints are not even posture applicable so it shouldnt apply to them. </P><P></P><P>thank you,</P><P>snir</P></BODY></HTML> Tue, 10 Jul 2018 18:44:24 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517069#M496325 snir_orlanczyk 2018-07-10T18:44:24Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517070#M496326 <HTML><HEAD></HEAD><BODY><P>In order for an endpoint not ISE-posture capable, such as Apple iOS devices, to move from unknown to compliant, the user needs to access the browser and click on start. Thus, if the endpoints not able to do so, I would suggest to assign them to a logical profile or a specific endpoint group and bypass posture on them, by not check Session:PostureStatus.</P></BODY></HTML> Tue, 10 Jul 2018 20:09:50 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517070#M496326 hslai 2018-07-10T20:09:50Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517071#M496327 <HTML><HEAD></HEAD><BODY><P>I Don’t check the posture status for those endpoints.</P><P>i Do MAB bypass for them(I check identit group membership and profile as the condition), and if they pass they get a dacl and access-accep, so that’s why I don’t understand why they have a posture status in the first place.</P></BODY></HTML> Wed, 11 Jul 2018 06:12:15 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517071#M496327 snir_orlanczyk 2018-07-11T06:12:15Z https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517072#M496328 <HTML><HEAD></HEAD><BODY><P>Will need further analysis to understand what is going on. I'd recommend to engage TAC &amp; debug further.&nbsp; </P></BODY></HTML> Wed, 11 Jul 2018 17:32:02 GMT https://community.cisco.com/t5/network-access-control/ise-posture-status/m-p/3517072#M496328 kvenkata1 2018-07-11T17:32:02Z