topic Re: Cisco ISE Non-Compliant Status not going to Compliant State in Network Access Control

Cisco ISE Non-Compliant Status not going to Compliant State

laurathaqi — Wed, 12 Jan 2022 14:35:56 GMT

Dear community,

I have a NonCompliant DACL which does isolate the users to communicate only to some services it needs to reach in order to get compliant.

However, when the users does get to a NonCompliant state, it does not triggert taling to the Services such as WSUS. And it gets stuck to UnCompliant status.

As a next step I also did install the updates manually, but the Client still gets stuck in a NonCompliant state, thus not changing to compliant state even after installing the updates.

The DACL for non compliant users is:

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit udp any any eq domain
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit udp any eq 68 any eq 67
permit udp any eq 161 any
permit icmp any any
deny ip any any

Do you have any idea why this could be the issue?

Thank you,

Laura.

Re: Cisco ISE Non-Compliant Status not going to Compliant State

Mike.Cifelli — Wed, 12 Jan 2022 15:04:54 GMT

However, when the users does get to a NonCompliant state, it does not triggert taling to the Services such as WSUS. And it gets stuck to UnCompliant status.

-Not sure I am following. Are you suggesting that the dacl does not work when clients are in the non-compliant state? Is the dacl properly assigned to the authz profile that is then used as the result for clients that match the authz condition of non-compliant?

As a next step I also did install the updates manually, but the Client still gets stuck in a NonCompliant state, thus not changing to compliant state even after installing the updates.

-What are you using post patching to allow the client to get out of the non-compliant state via a new assessment? Do you have the 'Scan Again' button enabled in the AC posture UI? This would allow end user to manually trigger the probe which would end up re-assessing the end client post patching.

Re: Cisco ISE Non-Compliant Status not going to Compliant State

laurathaqi — Wed, 12 Jan 2022 15:16:17 GMT

Hi @Mike.Cifelli

Were is the "Scan Again" located? I don't see it in the AC GUI?! Can I enable it in ISE somewhere, so when AC its downloaded, its enabled automatically!?

Thank you,

Laura

Re: Cisco ISE Non-Compliant Status not going to Compliant State

Mike.Cifelli — Wed, 12 Jan 2022 16:59:56 GMT

The scan again feature is a setting that is enabled/disabled in the ISEPostureCFG.xml that gets deployed to clients. This is configured in ISE under: Policy->Policy Elements->Results->Client Provisioning->Resources. On windows clients this config file is found here: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

Within the xml profile the tag is this (if enabled): <EnableRescanButton>1</EnableRescanButton>

ISE posture UI will look like this when enabled:

ISE admin UI profile setting:

This allows manual intervention if desired. HTH!

Re: Cisco ISE Non-Compliant Status not going to Compliant State

laurathaqi — Thu, 13 Jan 2022 12:31:27 GMT

Hi @Mike.Cifelli

That's exactly what is was :). Amazing how you could identify the reason right away. Thank you for your support.

Best wishes,

Laura

Re: Cisco ISE Non-Compliant Status not going to Compliant State

rbill1967 — Fri, 30 Sep 2022 18:45:05 GMT

How is this a solution? It just states where to look but not how to enable this feature, other than on the xml file. Changing that part will probably corrupt the file and therefore make it unusable.

Re: Cisco ISE Non-Compliant Status not going to Compliant State

davidgfriedman — Fri, 30 Sep 2022 20:16:25 GMT

I haven't done posturing yet so you've got me curious. I think this is what they're talking about above, see this Charlie Moreton / timestamp 02-14-2017 05:27 am05:27 AM post. It starts with the below. On that page in my lab ISE v2.7 system, I can see the option to set "Enable Rescan Button", and it is disabled by default.

Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and download the Compliance Module you will use. Upload the AnyConnect software here and then create and ISE Posture Profile by clicking the +Add button and selecting NAC Agent or AnyConnect Posture Profile. Upload any other AD Modules you will use here, as well.

Regards,
David