Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Cisco ISE 3.0 Agentless Posture - Status remains Not-Applicable

We are currently doing setup for agentless posture on ISE 3.0.  So far I have got all pre-requisites listed in Cisco guideline in place, however it seems to be not working. On the ISE agentless posture reports, it shows agentless script uploaded completed, but I don`t see agentless script being executed successfully on client, thus the endpoint is not showing any posture status in the radius live logs after 802.1x authentication 


The endpoint have got below setting enabled so far :

- PSRemoting is enabled and Remote Server management through WinRM is allowed

- Local admin is set for client and same is allowed for remote server management

- Firewall is set to allow port 5985, Reachability between client and ISE seems fine 


Now the posture process completes below steps successfully : 


- Endpoint gets 802.1x authentication 

- Agentless Posture option selected in authorization profile seems to be getting triggered upon 802.1x authentication

- ISE initiate remoteshell session on port 5985 and able to get in using local admin credential configured on ISE endpoint script.

- Admin certificate chain and script provisioning on client completes successfully and End point does receive "admin-script-formatted-xxxx.ps1" file 


From this stage two problem starts : 

1 - Script does not get execute on endpoint and the last log generated on endpoint "PostureScript xxx" output file remains - Script Provisioned Successfully, nothing beyond that. 

2 - Sometime the script does get execute but ends further with "Curl Error code 35 Unable to download agentless posture with return code" & "curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline."


For point 1 - Not getting any clue what makes script to not get execute post provisioning on client

And for point 2 - CRL check failure or CRL server offline doesn't seems to be the actual cause, as from endpoint with manual checks to CDP - Certificate Distribution Path check for installed certificate i don't see any error and CRL validation complete successfully but same seems to be failing from posture script. 


I have been trying and looking at guides all over along with tac but so far no luck. Has anyone got this issue with ISE 3.0 agentless posturing? Any suggestion or input for further troubleshooting would be highly appreciated.  

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel