topic Re: Policy server not found in Network Access Control

Policy server not found

erga — Fri, 10 Sep 2021 16:58:45 GMT

I am facing a very frustrating issue with newly imaged machines. Even when they have all the GPOs when connecting to wired or wireless the redirection to ISE does not happen. Proved this with a wireshark capture. They get redirected only when on VPN, the connectiondata.xml file gets created then there are no issues. They get redirected on wired/wireless

Spent countless hours troubleshooting this, I'm at loss as to what is happening. All the configurations are correct, ACLs are correct.

What other ways are there to redirect a user to the ISE portal for provisioning besides the dACL/ACL method

Re: Policy server not found

Marcelo Morais — Fri, 10 Sep 2021 18:50:23 GMT

Hi @erga ,

if my understanding is correct, you are talking about Posture - from Unknown to Compliant.

In your case it looks like that Wired & Wireless reach the Posture status Unknown, but there is no redirection to Posture status Compliant.

if this is your case, please take a look at: ISE Posture Flow in ISE 2.2 Compared to Earlier ISE Versions, search for Posture Flow in ISE 2.2.

"...

Step 12. In ISE 2.2, Posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on URL Redirect.

...

Step 14.Stage two contains two discovery probes which allows AC ISE Posture Module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential.

..."

Hope this helps !!!

Re: Policy server not found

erga — Fri, 10 Sep 2021 23:16:06 GMT

Thank you, I configured the call home list and its still not working. I'm not in front of the machine to check the content of the ISEPostureCFG file.
By looking at the auth details in the switch the applied URL is correct. From my capture the machine is not attempting to go the ISE server.

Re: Policy server not found

Mike.Cifelli — Tue, 14 Sep 2021 13:05:42 GMT

Things to consider/check:

-What are the differences in policy config between campus (wired/wireless) and VPN? Check Client Provisioning Policies/Posture Policies.

-What are the differences between your authz profiles for VPN and campus?

-I would verify settings in the ISEPostureCFG file.

-Do you have separate radius policies to support the 3 states: unknown, compliant, noncompliant?

-Have you run a DART bundle on a respective client that is failing?

-Lastly, have you looked here for tshoot help:

ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

Re: Policy server not found

erga — Wed, 15 Sep 2021 13:13:28 GMT

Thank you for the reply,

The authz profiles are all the same except for specific configurations to support VPN, wired and wireless. Wireless uses airspace-acl, VPN dacl is different than wired/wireless.

Yes, there are separate policies that support all 3 states.

I created a dart bundle, what I see is that enroll.cisco.com is not reachable – which should not be, its supposed to redirect the client to the ISE portal. Ran a wireshark capture and there is no attempt from the client to reach the ISE portal

The isepostureCFG.xml file never gets downloaded in the affected clients. The call home list is configured there.

Once the connectiondata.xml file gets created the redirection starts working.

I have a TAC case open for this as I’m not sure what else to look at.

One thing I haven’t tested is uploading the isepostureCFG.xml file manually in the client.