topic Re: Cisco ISE - Posture Issues in Network Access Control

Cisco ISE - Posture Issues

pgiouvanellis — Sun, 15 Mar 2020 14:16:58 GMT

Hello Everyone ,

I am facing an issue trying to implement Posturing in a customer's enviroment .

Below are the details of the customer's network and the implementation i have done until know.

The endpoints are in vlan 100 , the switch that endpoints are connected does not have svi in vlan 100
but on management vlan which is vlan 50 .

The gateway of the endpoints is a vlan interface which is on Fortigate Firewall .

We use anyconnect posture agent and we have manual create ISEPostureCFG.xml profile where
we have assigned the domain names of ISE Nodes ( we have 2 nodes with PAN,MnT and PSN personas )
to Call Home List .

The issue that i am facing is that the end point agent is not able to retrieve configuration from ISE
and finally get message "Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent."

Using the Dart Tool from endpoint i get the below erros : "Failed to retrieve http header X-ISE-PDP-WITH-SESSION."

I attached more logs from DART .

I tried to implement Posture with DACL and ACL Redirect but yntil know no obvious reason from not getting the agent run properly.

On firewall side not see any deny/block logs .

Has anyone faced the same problem with firewall in the middle of communications .

Please for any help if possible .

Thank You ,
Palaiologos

Re: Cisco ISE - Posture Issues

Cristian Matei — Sun, 15 Mar 2020 15:20:13 GMT

Hi,

By looking at the logs, there looks to be connectivity with ISE, and afterwards you have those 'error' messages to call it this way. So i see two options, without having too much details on the configuration and used software:

- ensure your posture is properly configured on ISE, as the messages tend to say otherwise (like the Anyconnect agent and profiles are not found in ISE policy): https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

- ensure you apply the latest patch available to ISE for the version you're running, also try a stable version of Anyconnect, to avoid bugs; for example this looks similar to your setup: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvo28970

Regards,

Cristian Matei.

Re: Cisco ISE - Posture Issues

pgiouvanellis — Sun, 15 Mar 2020 15:44:39 GMT

On ISE side i have configure a Client Provisioning Policy like described below :

- First download and upload to ISE the anyconnect package .

- Upload Compliace module

- Create a Posture Profile

- Create Anyconnect Configuration

- Create Client Provisioning Policy as the image i upload

i also though that maybe i am not hitting the cpp but for this i tried to Other Conditions to import a condition that

matches the endpoind Radius-Calling-Station-ID to be sure that i will match to this policy but no luck .

Thanks .

Re: Cisco ISE - Posture Issues

MatthewShaw4644 — Fri, 22 May 2020 18:47:11 GMT

I ran into this same error message, but in my case the problem was that none of my Client Provisioning Policies were matching. I had made an error in the External AD Groups selection for the EP.

I swam around in circles making sure my result didn't have a Temporal Agent in it.... but I guess that is some default when all your provisioning policies fail. Once I corrected that problem the posture module popped right up and downloaded the AC Configs.

**ISE 2.4 Patch 9, AC 4.8.3052 with ISE Posture module, wired dot1x.