topic Re: ISE Posture - No Policy Server Detected in Network Access Control

ISE Posture - No Policy Server Detected

SecurityJumbo — Sun, 25 Jun 2023 01:39:46 GMT

Hello guys,

I'm deploying the ISE posture policy and I run into the AnyConnect Posture return "No Policy Server Detected" as shown below.

The switch and machine are able to reach to the ISE ip and dns name.

I created the ISEPostureCFG.xml file and save it at "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\"

The ISE AnyConnect Profile

I configured the Client Provisioning, Policy Element, Posture Policy and Policy Set.

Maybe there is a config missing or incorrect, not sure where I start to troubleshoot. Please assist me on this issue.

Re: ISE Posture - No Policy Server Detected

Nancy Saini — Sun, 25 Jun 2023 17:27:45 GMT

Check if redirection is working on the client when it connects to the network. Open browser and type any website and see if the URL is getting changed to client provisioning portal URL (sent from ISE). If no, then check redirect ACL defined on the switch and check if the redirect URL is seen on "show authentication session int gig <id> detail" output.

Re: ISE Posture - No Policy Server Detected

Aref Alsouqi — Mon, 26 Jun 2023 01:06:19 GMT

I would recommend generating the DART bundle on the machine and look at AnyConnect_ISEPosture.txt file. The file would show you the reason why it can't detect the PSN.

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Mon, 26 Jun 2023 02:13:47 GMT

Hello @Nancy Saini

The 8021x radius is successful and the ACLs applied as well. The host is matching the right policy and I see the Posture is pending in the Live Logs. The problem is when the authentication and authorization are done, I tried to browse anything in the host and nothing happened from the Redirection Action.

Also, I tired to browse the Redirection URL manually, and I got this error below.

But I noticed the Redirection URL returns error when I try it manually

Re: ISE Posture - No Policy Server Detected

Ambuj M — Mon, 26 Jun 2023 04:09:12 GMT

in the redirect acl add at top and try

deny ip any host <ise ip>

also make sure ip http secure-server is configured.

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Mon, 26 Jun 2023 17:00:12 GMT

@Ambuj M I did update the Redirection ACL. But the "ip http secure-server" command is not available on the virtual switch that I'm using.

The issue still there and not sure what else I need to check.

Re: ISE Posture - No Policy Server Detected

Ambuj M — Mon, 26 Jun 2023 20:08:31 GMT

ok, I am assuming device already has IP and everything and able to resolve DNS, and Promiscuous Mode is enabled on the vswitch, lets try this, under common task where it says, "static IP/Host" put the IP address of the PSN where you are redirecting and try the url with IP instead of FQDN again few times

Parallel start a TCP Dump on ISE under troubleshooting/diagnostics tool on the same PSN, share the capture, lets see see how ISE response when the page is accessed.

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Mon, 26 Jun 2023 22:11:06 GMT

@Ambuj M you are right the device has ip address and already passed the authentication and authorization policies.

I attached the ISE Tcpdump as requested.

ISE Ip = 192168.10.111

Supplicant ip =192.168.10.51

Jump host ip = 192.168.10.5

Re: ISE Posture - No Policy Server Detected

Ambuj M — Tue, 27 Jun 2023 01:37:46 GMT

either something is not captured right or fundamentally configuration is not correct. I don't even see any redirect traffic on ISE in capture.

follow these guides and make sure your config is correct, these are old but relevant.

https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId-61739320

https://www.labminutes.com/sec0279_ise_22_posture_assessment_anyconnect_client_1

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Tue, 27 Jun 2023 18:19:00 GMT

@Ambuj M and everyone else, I have checked current configuration and it looks good. It is either the switch or ISE not applying the Redirection action.

I tested the Portal URL and it is good. The "ip http secure-server" applied as well. Please let me know if you know anything else I need to check

Re: ISE Posture - No Policy Server Detected

ReFeeL — Wed, 28 Jun 2023 01:24:48 GMT

Has this problem been fixed yet?

Re: ISE Posture - No Policy Server Detected

Ambuj M — Wed, 28 Jun 2023 02:42:23 GMT

so earlier when you accessed the URL page manually it was not reachable, now it is reachable ?

but its just that client is not redirecting to provisioning portal automatically or even after opening a browser, correct ?

Also confirm if the client is trying to get redirected and ISE page is not loading or not even trying to get redirected ? based on REDIRECT ACL hits seems like its trying to redirect but page not loading, may be an MTU issue.

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Wed, 28 Jun 2023 04:17:35 GMT

@Ambuj M Thanks for the information. Let me clarify with more details:

When I click on the Portal Test (In the Portal setting page), the page is loading fine.

But when I copy the Redirection URL from the logs (Live Logs), it returns error "400 [Bad request]" as shown above.

I agree with you that the traffic is matching the Redirection ACL and I'm allowing all traffic in the DACL currently, but the client is not trying to open/load the Redirection URL a all. I tried to go some websites in the browser (I used different browsers), but nothing happened.

Not sure if I missed a configuration or maybe this is a virtual lab issue..

Re: ISE Posture - No Policy Server Detected

Ambuj M — Wed, 28 Jun 2023 21:26:59 GMT

based on auth details, your config seem good enough to redirect atleast, i am hoping there is no upstream firewall or acl (shoukd be able to ping ise from client) if so forget about posture for a min, if you did a simple hotspot guest portal can you redirect ?

also make sure to removed any custom logos and banner image from the portal customization page if you have any.

Re: ISE Posture - No Policy Server Detected

Aref Alsouqi — Wed, 28 Jun 2023 11:41:44 GMT

How many ISE nodes do you have? and does the endpoint use any proxy for web traffic?

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Thu, 29 Jun 2023 21:08:07 GMT

Hey guys, it is only one ISE and direct connection, No Proxy.

No upstream firewall or ACL. No custom portal setting. Using the default one. I will try to change the setting and see if that helps

Re: ISE Posture - No Policy Server Detected

SecurityJumbo — Fri, 30 Jun 2023 19:40:05 GMT

Okay, I knew it there is something in the switch. I used another switch and the URL redirecting works fine.

Re: ISE Posture - No Policy Server Detected

Aref Alsouqi — Sun, 02 Jul 2023 22:00:52 GMT

In that case I would compare the aaa config on both switches, including the redirect ACL, as well as the ensuring the http server is enabled on the switch. If you want to keep the http server enabled on the switch but denying any access to the switch http portal then you can use the following command:

ip http active-session-modules none

Re: ISE Posture - No Policy Server Detected

joseph.a.harman2.ctr@mail.mil — Mon, 23 Oct 2023 18:03:39 GMT

I know this post is old but "ip http secure-server" doesn't work for URL redirect during posturing in my experience. You need "ip http server." I also recommend adding the supplemental command, "ip htp active-session-modules none" unless you manage your switches via WebGUI.

Also, the ACL someone posted earlier was incorrect. You don't need to allow ISE and DNS traffic within the redirect ACL. The redirect ACL is not a traditional security ACL; it is only telling the switch which traffic to redirect, not which traffic is actually allowed or disallowed. Try a redirect ACL like this:

Extended IP access list REDIRECT_ACL
10 permit tcp any any eq www
20 deny ip any any log-input

Re: ISE Posture - No Policy Server Detected

hp.netwroking@kapitalbank.az — Tue, 03 Mar 2026 07:45:46 GMT

what was the difference in config ?