This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm deploying ISE 2.6 with Anyconnect 4.7, users are authenticated via AD and EAP-FAST with user and machine success authentication. I have an issue when ISE Posture try to search a policy server it shows message "No policy server detected".
In this case, end customer wants to pass only compliant users for security, and non-compliant users should contact IT instead of download Anyconnect package from ISE remediation portal.
They have working with ISEv1.2, and they redirect NAC agent via redirect-ACL, and it is working fine, but I understand that now ISE Posture needs iseposturecfg.xml file to reach ISE for posture by call home IP or FQDN and I found in Anyconnect 4.7 logs that is not getting iseposturecfg.xml file and it's using auth/Discovery and auth/enroll.cisco.com.
So, there is a way ISE Posture works as NAC agent and ISEv1.2 with redirection instead xml file config or am I missing some configuration from ISEv1.2 in ISEv2.3?
Have you try opening up browser during posture unknown state, do you get redirected to the portal? AnyConnect posture module can use the same method as NAC agent for redirection.
You can use the same redirect mechanism as what the NAC agent uses to get the posture configuration file. Or you can use the ISE 2.2 non-redirect based posture. You can pre-deploy this by manually creating the posture configuration file (using the AnyConnect ISE posture Profile editor) and dropping it into C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\. For the non-redirect mechanism, you would need the "Call home" field pointing to the FQDN and port of the Client provisioning portal.
Thank you for your help, Is it required to point to provisioning portal even when clients there will not download installation packages? Or even if it is not provisioning portal?
Thanks a lot.