Adding Posture Agentless Authz policies on a working TEAP Eap-chaining

Carlos T · ‎04-08-2026

Hi,

I have a working LAB environment with ISE 3.3 (Patch 10) and Windows 11 Endpoint with Windows Native Supplicant. This is using TEAP (EAP-TLS) for both machine and user authentication using certificates (machine certs + user Certs already deployed in the endpoint). By using TEAP, we are using EAP-Chaining. This is working fine with no issues.

From this base working environment, we want to add "Agentless posture" checks, but this is failing, showing as "non compliant" posture result, but the posture policy check we are doing is just Application visibility (default App visibility on ISE) to have an inventory of the applications.

I modified the working simple authz policies to adapt the "Agentless Posture" states (non compliant, compliant, unknown) following the generic implementation guide from this link: How To: Agentless Posture Configuration, validation & Troubleshooting - Cisco Community

Working environment policies and logs (before enabling Agentless Posture)

1. ISE Authorization Policies using TEAP (EAP-TLS) for machine, and machine + user authorization (EAP-chaining)

2. On ISE Radius Live Logs, we see both Authorization policies are hit first when the PC is connected (machine authz only), and then, when the user logs in (machine + user authz) via EAP Chaining.

New Updated Authorization policies to support Agentless Posture and logs (After enabling Agentless Posture)

ISE Authorization Policies supporting Agentless posture:

3x Top Policies for the 3 possible posture states (no compliant, compliant, unknown) for machine + user authorization (EAP-chaining)
1x Bottom Policy for the very first time the machine is connected to the network (matching only user failed + machine succeeded). The result profile on this rule has the "Agentless" option selected to force the agentless process to trigger.

2. On ISE Radius Live Logs, we see the firs time the PC is powered on (before user login), that the Authorization policy (bottom on the list) is hit and this is for user failed+machine succeded and using the result profile of Agentless Posture. This is fine and expected. Then when the user log in, it hits the "non compliant" posture status (matching the rule "Agentless Posture non compliant").

ISE Logs 2.png

From the detailed radius log view, the following is taking my attention, but no sure if seeing this "duplicate session" message below the posture check message is normal or is an indication of an issue that has something to do with the posture?

ISE Logs 2-a.png

The host is shown in "context visibility"

ISE Logs 2-b.png

No Applications are visible

Posture Policy is only application visibility

Posture Requirements

Posture condition

After restarting ISE we see this time it is stuck on "pending" posture status.

As shown on the implementation guide, we enabled all the requirements on the endpoint, like Enabling remote power shell, allowing the firewall rule for inbound connection from ISE, and installing Power Shell 7.

Thanks

ahollifield · ‎04-15-2026

Just curious on the reason for Agentless Posture? Why not use MDM-based posture instead? Agentless requires a lot of negative security nuances on the endpoint and is an overall horrible user experience.

Carlos T · ‎04-17-2026

Thanks @ahollifield . Can you share what of the "negative security nuances on the endpoint" you have experienced?

Thanks!

ahollifield · ‎04-17-2026

All of this: "like Enabling remote power shell, allowing the firewall rule for inbound connection from ISE, and installing Power Shell 7." Also the local accounts required for agentless.