topic When the client is in Posture in Wireless

5760 ise posture

nikhilcherian — Mon, 05 Jul 2021 14:03:13 GMT

Hi All,

Does 5760 support ISE posturing, I haven't seen any document regarding this nor any discussion in the support forum

The ISE compatibility matrix says it is supported, has any one worked on posturing with 5760

Regards

Nikhil

I am assuming you have 5760

Ambuj M — Thu, 18 May 2017 11:47:53 GMT

I am assuming you have 5760 as MC and 3850 or 3650 as MA and in this setup you are tying to perform posture check for wireless clients through ISE. It should be supported.

Posture validation is more of an ISE apex feature than wireless itself.

Whats important from wireless perspective is if the Authenticator supports COA, which in this case 5760 does.

**rate helpful posts**

Hi ,

nikhilcherian — Thu, 18 May 2017 12:37:34 GMT

Hi ,

Thanks for the reply,

I just have 5760 & I am trying to perform posture validation for wireless clients. The posture validation is success through & but doesn't work with 5760. My client is stuck in posture_required state.

Let me know if you have seen any documentation - design/configuration guide for 5760-ISE integration

Regards

Nikhil

http://www.cisco.com/c/en/us

Ambuj M — Thu, 18 May 2017 12:55:18 GMT

http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html

its not specific to posture, but validate your configuration with this, use 1812 and 1813 for auth and Acct port and ensure support for RFP3576 is in enabled state.

Can you post the ISE detailed log screenshot, version etc.

"The posture validation is success through & but doesn't work with 5760. My client is stuck in posture_required state." - Elaborate this.

Thanks for the reply, I can

nikhilcherian — Thu, 18 May 2017 13:16:29 GMT

Thanks for the reply, I can see a MACFILTER in WLAN config, which I feel is not required in the case of dot1x.

I don't have the logs with me, but client status is as below

>1>My client gets connected, hits the POSTURE-UNKNOWN rule in the ISE

>2>Client status is shown as POSTURE_REQD

>3>The anyconnect shows "WEB-AUTHENTICATION-REQD" & asks to open a browser

>4> If I open the browser, I get a request to enter the credentials( though I have configure SSO)

Regards

Nikhil

I can also see the below

nikhilcherian — Fri, 19 May 2017 06:04:53 GMT

I can also see the below message in my anyconnect

Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent.

This message is mentioned in the anyconnect installation guide, but don't have much further explanation.

I missed some more things on my network.

>When I use the PC for with the wired network, I can see the Posturing is a success.

>When I use the same PC for the Guest access, in the 5760, it is a success. I use CWA with ISE. I use the same redirect ACL for CWA & posturing.

> The only point I am stuck is with the posturing in 5760

When the client is in Posture

nikhilcherian — Fri, 19 May 2017 10:36:32 GMT

When the client is in Posture required state, and the client does the discovery for the ISE server, WLC intercepts this request. Which interface in the WLC intercepts it, is it the management interface or the interface specified in the webauth profile. Since the VLAN for the SSID is only L2 & if the webauth interface is trying to intercept the packet my posturing will fail

What's there an address where

Ambuj M — Fri, 19 May 2017 13:07:07 GMT

What's there an address where I can send you some email ?

If not I would recommend engage TAC, there a lot of floating information, posture issues are easy to solve but I need to look into you policy, and failure logs on wlc as well as ISE.

you can mail me in nikhs@live

nikhilcherian — Fri, 19 May 2017 18:13:53 GMT

you can mail me in nikhs@live.com

Re: When the client is in Posture

nikhilcherian — Wed, 20 Dec 2017 04:26:18 GMT

Just in case this is helpful to anyone, I am adding something I found
1. In my setup, I got the message "Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent." because the client wasn't hitting the CP rules
2. I added one more rule specific to the Wireless controller in the CP, saying if the "RADIUS called station id end with XYZ", this is the use the CP profile, Thanks to my friend who pointed out this to me
3. With this also, I didn't find my client downloading the Posture rule.
4. I had to edit the posture rules & add a specific rule to the Posture condition, saying if the "RADIUS called station id end with XYZ" use this Posture condition. This helped me to resolve the issues