Solved: Re: Cisco ISE No Policy Server Detected - Pushed from the ASA

garybrophy · ‎05-13-2022

HI All,

Hoping someone can point me on the correct direction.

I'm trying to get posturing up and running.

I have used the ASA to enable the module download from the group policy

I have used the ISE Profile Posture Editor to create the xml file and uploaded it to the ASA and apply to group policy

When users connect with Anyconnect the module is being downloaded successfully but they get

System Scan

No policy server detected

Default Network access is in effect.

Checking the Anyconnect folder the users are getting the ISE Posture folder and downloading the ISEPostureCFG xml file.

For the discovery host I used the IP address of the ISE node and callhome the DNS name of it

<CallHomeList>ise1.customerdomain</CallHomeList>

Has anyone been able to resolve a similar situation before. I am not sure where I should be looking.

Thanks

Gary

Full xml file here

<?xml version="1.0" encoding="UTF-8"?>
<cfg
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns='http://www.cisco.com/nac/agent/config-1.0'
xsi:schemaLocation='http://www.cisco.com/nac/agent/config-1.0 ISEPostureCFG.xsd'>
<configName>ISE_Posture.isp</configName>
<NacAnyConnectDrpDown>AnyConnectAgent</NacAnyConnectDrpDown>
<BackOffTimerLimit>30</BackOffTimerLimit>
<LogTrace>0</LogTrace>
<RetransmissionLimit>4</RetransmissionLimit>
<PingMaxTimeout>1</PingMaxTimeout>
<RetransmissionDelay>60</RetransmissionDelay>
<StealthMode>0</StealthMode>
<EnableNonRedirectionFlow>1</EnableNonRedirectionFlow>
<ServerNameRules>*</ServerNameRules>
<OperateOnNonDot1XWireless>0</OperateOnNonDot1XWireless>
<RemediationTimer>45</RemediationTimer>
<DhcpRenewDelay>1</DhcpRenewDelay>
<CallHomeList>ise1.customerdomain</CallHomeList>
<LogFileSize>5</LogFileSize>
<PRARetransmissionTime>120</PRARetransmissionTime>
<EnableAgentIpRefresh>1</EnableAgentIpRefresh>
<DartCount>3</DartCount>
<PingArp>0</PingArp>
<DhcpReleaseDelay>4</DhcpReleaseDelay>
<StealthWithNotification>0</StealthWithNotification>
<SignatureCheck>0</SignatureCheck>
<DiscoveryHost>10.10.10.1</DiscoveryHost>
<StateSyncProbeInterval>0</StateSyncProbeInterval>
<EnableRescanButton>0</EnableRescanButton>
<VlanDetectInterval>0</VlanDetectInterval>
<DisableUAC>0</DisableUAC>
<PeriodicProbing>30</PeriodicProbing>
</cfg>

garybrophy · ‎09-15-2022

worked with Cisco on the issue and we could not get it working with just the ASA deploying everything.

Cisco advised that they dont recommend doing it from the ASA anyway and to use re-direct.

Customer was ok with that advise so we set it up with redirect and all works well

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

View solution in original post

Charlie Moreton · ‎05-13-2022

The Discovery Host should NOT be ISE. It shouldn't be anything that you can connect to prior to passing posture. Most use enroll.cisco.com. The failure to reach the address will force the redirection and the call home list to be used.

garybrophy · ‎05-13-2022

Thanks Charlie,

I'll make that change and use enroll.cisco.com for the discovery host.

It will probably be Monday before the customer can test it out.

Ill update once done.

Much appreciated

Marcelo Morais · ‎05-13-2022

Hi @garybrophy ,

please take a look at ISE Posture Flow in ISE 2.2 Compared to Earlier ISE Version, search for Posture Flow in ISE 2.2, remember that:

. In ISE 2.2+, we still have the same four Probes from Pre-ISE 2.2 (Stage 1: Default GW, enroll.cisco.com, Discovery Host and previously connected PSN) but two new Probes have been added (Stage 2: Call Home List and ConnectionData.xml)

Note: about Discovery Host ... a better practice is to place a URL that will trigger a connection (ie a resolvable name). The AnyConnect Client already tries ENROLL.CISCO.COM so you use an internal URL like www.company.com or an external URL like www.google.com as long as the name can be resolved and the Redirect URL is triggered.

Hope this helps !!!

garybrophy · ‎06-09-2022

Hi Marcelo,

Sorry about the delay in response, I was unexpectedly out of the office and then the customer was on Annual leave

I changed the dsicovery host as you mentioned.

<DiscoveryHost>enroll.cisco.com/DiscoveryHost>
<CallHomeList>ise1.customerdomain</CallHomeList>
<ServerNameRules>*</ServerNameRules>

I did notice I had a couple of issues with my polices, I was not hitting the correct one.
Corrected them and I am hitting the my posture unknown policy.

I was still getting the same issue "no policy server detected"

Taking a capture on the Firewall and a tcp dump on ISE I see the communication on port 8905
When connected in the dns for ise1.customerdomain resolves fine.

I wasnt using redirection for client provisioning as my thoughts were I was pushing this out from the ASA itself so there was no need for it but I configrued redirection anyway as it wasn't working for me

I then get the following when I connect in

Bypassing Anyconnect Scan
Your Network is configured to Use Cisco Temporal Agent

Checking the radius logs on ISE I see Posture Status for my connection as Pending or NotApplicable

Any other suggestions would be appreciated

Thanks

garybrophy · ‎06-09-2022

Hi Charlie,

Sorry about the delay in response, I was unexpectedly out of the office and then the customer was on Annual leave

I changed the dsicovery host as you mentioned.

<DiscoveryHost>enroll.cisco.com/DiscoveryHost>
<CallHomeList>ise1.customerdomain</CallHomeList>
<ServerNameRules>*</ServerNameRules>

I did notice I had a couple of issues with my polices, I was not hitting the correct one.
Corrected them and I am hitting the my posture unknown policy.

I was still getting the same issue "no policy server detected"

Taking a capture on the Firewall and a tcp dump on ISE I see the communication on port 8905
When connected in the dns for ise1.customerdomain resolves fine.

I wasnt using redirection for client provisioning as my thoughts were I was pushing this out from the ASA itself so there was no need for it but I configured redirection anyway as it wasn't working for me

I then get the following when I connect in

Bypassing Anyconnect Scan
Your Network is configured to Use Cisco Temporal Agent

Checking the radius logs on ISE I see Posture Status for my connection as Pending or NotApplicable

Any other suggestions would be appreciated

Thanks

Mike.Cifelli · ‎05-14-2022

Make sure nothing is blocking TCP 8905 in the path between tested client and ISE PSNs.

You mentioned this: callhome the DNS name of it

-Make sure when in the AC Unknown state that the name is actually resolvable. If not, you may be better off with simply the IPs of the PSNs and test accordingly

Once that is done here are some other items to verify/check for in regard to the workflow:

Verify that your authz conditions are setup properly to support posturing. Double check your actual posture policy. Make sure whatever conditions you are attempting to utilize are legit options for the test client to hit/match against/on. Lastly, take a peek @Marcelo Morais shared workflow guide.

garybrophy · ‎06-09-2022

Hi Mike,

Sorry about the delay in response, I was unexpectedly out of the office and then the customer was on Annual leave

I changed the dsicovery host as you mentioned.

<DiscoveryHost>enroll.cisco.com/DiscoveryHost>
<CallHomeList>ise1.customerdomain</CallHomeList>
<ServerNameRules>*</ServerNameRules>

I did notice I had a couple of issues with my polices, I was not hitting the correct one.
Corrected them and I am hitting the my posture unknown policy.

I was still getting the same issue "no policy server detected"

Taking a capture on the Firewall and a tcp dump on ISE I see the communication on port 8905
When connected in the dns for ise1.customerdomain resolves fine.

I wasnt using redirection for client provisioning as my thoughts were I was pushing this out from the ASA itself so there was no need for it but I configrued redirection anyway as it wasn't working for me

I then get the following when I connect in

Bypassing Anyconnect Scan
Your Network is configured to Use Cisco Temporal Agent

Checking the radius logs on ISE I see Posture Status for my connection as Pending or NotApplicable

Any other suggestions would be appreciated

Thanks

Aileron88 · ‎06-09-2022

Hi,

You won't need to use redirection if you're pushing the ISE posture configuration from your ASA.

I would recommend checking your client provisioning policy. Although you're not provisioning, this will still be checked. Make sure you have the correct AC version, correct compliance module version and you're not filtering out the users with groups.

garybrophy · ‎06-09-2022

Hi Aileron88

Client provisioning policy looks good. Im using any identity group & windows all and same anyconnect version and module as the ASA

Regards

garybrophy · ‎09-15-2022

worked with Cisco on the issue and we could not get it working with just the ASA deploying everything.

Cisco advised that they dont recommend doing it from the ASA anyway and to use re-direct.

Customer was ok with that advise so we set it up with redirect and all works well

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html