topic Re: Cisco ISE Posture no policy server detected in Network Access Control

Cisco ISE Posture no policy server detected

jewfcb001 — Wed, 24 Mar 2021 09:54:16 GMT

Hi All ,

I found the the issue ISE Posture no policy server detected . I try to find the topic on community and found the same issue with me but I try to many method to fix the issue example . fix discovery host / call-home list . but still facing the issue .

Noted : I configure ASAv for Anyconnect VPN with ISE Posture .

Please advise me .

Re: Cisco ISE Posture no policy server detected

Mark Elsen — Wed, 24 Mar 2021 10:56:50 GMT

FYI : https://community.cisco.com/t5/network-access-control/ise-no-policy-server-detected/td-p/3883122

Re: Cisco ISE Posture no policy server detected

jewfcb001 — Wed, 24 Mar 2021 10:57:57 GMT

Hi All ,

I try to use DART and get some log and I see about why client request http to gateway *192.168.10.1* of client not request URL from redirect from ISE authorization.

======================================================================

2021/03/24 17:00:35 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x644 File: target.cpp Line: 407 Level: debug POST request to URL (https://enroll.cisco.com:8905/auth/ng-discovery), returned status -1 <Operation Failed.>.
2021/03/24 17:00:35 [Information] aciseagent Function: Target::Probe Thread Id: 0x644 File: target.cpp Line: 201 Level: debug Status of Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery is 6 <Not Reachable.>.
2021/03/24 17:00:37 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0x1664 File: hs_transport_winhttp.c Line: 4808 Level: debug unable to send request: 12002.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0x1664 File: target.cpp Line: 250 Level: debug GET request to URL (http://192.168.10.1/auth/discovery), returned status -1 <Operation Failed.>.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::Probe Thread Id: 0x1664 File: target.cpp Line: 201 Level: debug Status of Redirection target 192.168.10.1 is 6 <Not Reachable.>.
2021/03/24 17:00:37 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0xDDC File: hs_transport_winhttp.c Line: 4808 Level: debug unable to send request: 12002.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0xDDC File: target.cpp Line: 250 Level: debug GET request to URL (http://192.168.20.1/auth/discovery), returned status -1 <Operation Failed.>.

Re: Cisco ISE Posture no policy server detected

jewfcb001 — Wed, 24 Mar 2021 10:59:32 GMT

@Mark Elsen

I try to following this topic but still facing the issue.

Re: Cisco ISE Posture no policy server detected

Mike.Cifelli — Wed, 24 Mar 2021 12:13:54 GMT

A few items to check that typically cause this issue:

-Are you attempting to redirect or do redirection-less posturing?

-If redirecting are you allowing connectivity to Portal in dacl?

-If no redirect, do you have an ISEPostureCFG.xml here C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture? Without redirect setup OR no ISEPostureCFG file this notice appears in AC UI. The redirect will allow you to hit provisioning portal in which ISE will then push down the respective XML files to unprovisioned/new clients. For redirection-less provisioning use the profile editor and either manually deploy the file to unprovisioned clients OR rely on SCCM maybe.

See here for guide: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Re: Cisco ISE Posture no policy server detected

jewfcb001 — Thu, 25 Mar 2021 02:53:26 GMT

@Mike.Cifelli

-Are you attempting to redirect or do redirection-less posturing?

You mean try to manual url: https://ip-ise:8443 or not ?

-If redirecting are you allowing connectivity to Portal in dacl?

I not configure dacl on ise

Re: Cisco ISE Posture no policy server detected

Mike.Cifelli — Thu, 25 Mar 2021 13:23:34 GMT

You mean try to manual url: https://ip-ise:8443 or not ?

-No. What I meant was that you dont necessarily have to have the portal redirect in order for posture to work. You can pre-deploy the ISEPostureCFG.xml file to clients so that the module is able to reach ISE without the need of redirect.

I not configure dacl on ise

-I assume if testing/using redirect that in your ISE authz profile you have the portal assigned with a dacl to assign to sessions.

I would recommend taking a peek at the link I shared above to understand options/workflows. Also, have a peek at labminutes.com/video/sec for free tutorials. HTH!