Hi @Rob Ingram 

Thank you for your feedback! 

Can you please share a guide on configuring the compliance module and posture module. 

My configuration is currently stuck at the "checking device is AnyConnect is installed" and Seems that this might be the issue. 

Even though I was assuming is a AnyConnect package versions issue! 

The configuration so far is being able to do the redirect but is stuck at the checking device scanning. 

I did the configuration based on the Cisco ISE 3.0 documentation guides. The setup does not have a firewall in-between. Is internal communication between: Host -> Access Switch -> Core Switch -> Cisco ISE.

Switch "show auth ses int f0/7" shows that the user is authenticated and authorized first, then when posture hits, it limits it into the unknown Policy rule as configured. 

Please find images attached showing details. 

Looking forward to hearing from you,

Thank you,

Laura

@laurathaqi here are some guides:-

https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

https://integratingit.wordpress.com/2019/08/17/ise-wired-dot1x-posture/

Can you provide the output of "show auth ses int f0/7" please?

Have you also pushed down a DACL aswell during authz?

Hi @Rob Ingram ! 

Yes, I have pushed a DACL to allow the user to access the ISE PSN, DNS and Domain and Deny all other traffic.

The output of "show auth ses int f0/7" is currently unavailable to me as I am currently not connected in a session with the client, but I do know what the sessin contains: 

1. It has the dot1x details with successful AuthZ and AuthC.

2. Has the redirect URL shown in the session. 

3. Had the DACL downloaded from ISE 

The wired issue is that, with an old image of AnyConnect, it worked fine. However, I wanted to use the latest versions, thus deleted the old one, and am left with the following: 

AnyConnectDesktopWindows 4.10.3104.0

AnyConnectComplianceModuleWindows 4.3.2336.614

However, I do not have saved the version I was using before, so am not able to tell what version it was. 

I think is a version mismatch between the AnyConnect and the compliance module. However, am not sure how to prove or further troubleshoot this. 

The really bad thing is that the Posture troubleshooting in ISE 3.0 is not working at all. 

Any suggestions on how to further troubleshoot the details of the Client Provisioning part?! 

Thank you,

Laura 

Hi @laurathaqi 

So the only thing that has changed is the images? In which case it could well be an incompatiblity is issue

I did a quick search and found this bug for AnyConnect - ISE Compliance Module compatibility for AnyConnect 4.10.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa00660 but it has no information, it was modified today so perhaps they are writing it as I type.

Perhaps upload an older version of anyconnect and the compliance module to rule out an issue or log a call with TAC.

Hi @Rob Ingram 

Yes, the only things that has changed is the images. 

I will try to do a test with older versions today. Do you have a suggestion what version of AnyConnect with what version of ISE Compliance module should I try? 

TAC is open but their process of questions and answers takes to long. I asked for a Webex meeting, and hopefully we get something back by today or tomorrow. 

Thank you,

Laura 

Hi @Rob Ingram 

I recreated the full scenario today, with an old version of the AnyConnect. And in my first test, I was able to download AnyConnect, with the process as it should be. However at the end after AnyConnect downloads and AnyConnect posture module installs, I was getting an error of "Network Setup Assistant - Failed to launch Cisco AnyConnect Secure Mobility Client Downloader.", Please find image of NSA attached with the error. 

Tried to also run the exe file manually and I am getting the error of "Windows can not access the specified device, path or file", which is also attached in this comment as "PermissionsFailed". 

After having this issue, I tried to download once more, from the Portal, and I am getting the forever scanning "DeviceSecurityCheck", that does not finish till session times out. 

 Any suggestions would be highly appreciated. 

Thank you,

Laura

I would suggest focusing on -- Windows can not access the specified device, path or file

Start by verifying whether AnyConnect core is installed properly. Also, you may try manually installing the binaries of AnyConnect modules.

Rob Ingram,

CSCwa00660 is to doc the behavior observed in CSCvy53730

AC 4.10 RN > ISE Posture Compliance Module

(CSCvy53730-Windows only) AnyConnect 4.9.06037 and above cannot update the Compliance Modules from ISE that are shipped with AnyConnect 4.9MR5 or earlier. Due to this change, Compliance Module version 4.3.1634.6145 or later are required for AnyConnect 4.9.06037 and above.