I configured single standalone ISE 2.2 in my lab to authenticate clients and push them to install AnyConnect NAM, VPN and Compliance modules. Clients successfully authenticated and redirected to the provisioning portal. then they managed to install AnyConnect on their PCs and were asked to enter AD username/password. This was successful too and they got connected to the network. But they got "Searching For Policy Server" and "Unauthorized Policy Server" error messages on their Posture module (under System Scan Title). I reviewed "ISEPostureCFG.xml" which was inside the ISE Posture Folder on their computers and IP address of ISE was there. As result, AnyConnect could not connect to ISE to report the Posture results and then they couldn't match a separate AUTHZ rule on ISE which has been configured for compliant clients. Any idea?
Ok you checked the profile file on the client and everything looks fine right?
What are authorization and acl pushed when the client is in unknown state (at the connection) ?
What logs are you seeing on ISE?
This is my Policy rules:
authz policy "TE-WIRED-PRE-nCOMPLIANT" permits everything toward ISE server and all client networks and puts clients in vlan 500.
I reviewed client PC for related files and saw there is only one file named "configuration_bad.xml"inside "NewConfigFiles" folder which contains my ISE IP address:
"ISEPostureCFG.xml" file which resides inside "ISE Posture" folder contains exact same content as "configuration_bad.xml"file!
The "Configuration.xml" file resides inside another folder "System" which contains Anyconnect Connection Profile "TWired-Network" as seen in the following image, but there is no line containing ISE IP address inside this file. Also you can see "Unauthorized Policy Server" error message has been displayed too.
At the end, ISE shows client has been successfully authenticated and matched first authz rule (which has been created for compliant:unknown users.
It sounds like it could be an issue with the posture config file, are you able to include that?
I found when setting up my test environment, even though it was different from yours (2 ISE nodes behind F5) I needed to use FQDN instead of IP address for the posture configuration so I created a host entry for my test ISE servers on my test machine.
I know what you mean, when I first tried to set up provisioning it was almost impossible to find any good documentation on what is required for it to work properly. I had terrible results using the standalone ISE Posture Profile Editor program but then I read somewhere that you can create the configuration file in ISE itself.
Under Policy > Policy Elements > Results > Client Provisioning > Resources if you add an AnyConnect Posture Profile here it actually takes you through the values and gives you notes and descriptions for various settings which allowed me to actually get a working config going.
Glad to hear it is working for you now!