Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4946
Views
0
Helpful
4
Replies

"No policy server detected" Anyconnect 4.7

raulantoniorz91
Level 1
Level 1

‎09-19-2019 04:43 PM

Hi everyone,

 

I'm deploying ISE 2.6 with Anyconnect 4.7, users are authenticated via AD and EAP-FAST with user and machine success authentication. I have an issue when ISE Posture try to search a policy server it shows message "No policy server detected".

 

In this case, end customer wants to pass only compliant users for security, and non-compliant users should contact IT instead of download Anyconnect package from ISE remediation portal.

 

They have working with ISEv1.2, and they redirect NAC agent via redirect-ACL, and it is working fine, but  I understand that now ISE Posture needs iseposturecfg.xml file to reach ISE for posture by call home IP or FQDN and I found in Anyconnect 4.7 logs that is not getting iseposturecfg.xml file and it's using auth/Discovery and auth/enroll.cisco.com.

 

So, there is a way ISE Posture works as NAC agent and ISEv1.2 with redirection instead xml file config or am I missing some configuration from ISEv1.2 in ISEv2.3?

 

0 Helpful
4 Replies 4

howon
Cisco Employee
Cisco Employee

‎09-20-2019 12:32 PM

Have you try opening up browser during posture unknown state, do you get redirected to the portal? AnyConnect posture module can use the same method as NAC agent for redirection.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎09-20-2019 12:51 PM

You can use the same redirect mechanism as what the NAC agent uses to get the posture configuration file. Or you can use the ISE 2.2 non-redirect based posture. You can pre-deploy this by manually creating the posture configuration file (using the AnyConnect ISE posture Profile editor) and dropping it into C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\. For the non-redirect mechanism, you would need the "Call home" field pointing to the FQDN and port of the Client provisioning portal.  

0 Helpful

raulantoniorz91
Level 1
Level 1
In response to Rahul Govindan

‎09-20-2019 02:53 PM

Hi,

 

Thank you for your help, Is it required to point to provisioning portal even when clients there will not download installation packages? Or even if it is not provisioning portal?

 

Thanks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents