cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4096
Views
20
Helpful
6
Replies

Cisco ISE Non-Compliant Status not going to Compliant State

laurathaqi
Level 3
Level 3

Dear community, 

 

I have a NonCompliant DACL which does isolate the users to communicate only to some services it needs to reach in order to get compliant. 

However, when the users does get to a NonCompliant state, it does not triggert taling to the Services such as WSUS. And it gets stuck to UnCompliant status. 

As a next step I also did install the updates manually, but the Client still gets stuck in a NonCompliant state, thus not changing to compliant state even after installing the updates.

 

The DACL for non compliant users is: 

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit udp any any eq domain
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit ip any host 10.0.x.x
permit udp any eq 68 any eq 67
permit udp any eq 161 any
permit icmp any any
deny ip any any

 

Do you have any idea why this could be the issue?

 

Thank you,

Laura. 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

The scan again feature is a setting that is enabled/disabled in the ISEPostureCFG.xml that gets deployed to clients.  This is configured in ISE under: Policy->Policy Elements->Results->Client Provisioning->Resources.  On windows clients this config file is found here: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

 

Within the xml profile the tag is this (if enabled): <EnableRescanButton>1</EnableRescanButton>

 

ISE posture UI will look like this when enabled:

pos_ui_scan_button.PNG

 ISE admin UI profile setting:

ise_pos_cfg_scan_button.PNG

 

This allows manual intervention if desired.  HTH!

View solution in original post

6 Replies 6

Mike.Cifelli
VIP Alumni
VIP Alumni

However, when the users does get to a NonCompliant state, it does not triggert taling to the Services such as WSUS. And it gets stuck to UnCompliant status. 

-Not sure I am following.  Are you suggesting that the dacl does not work when clients are in the non-compliant state? Is the dacl properly assigned to the authz profile that is then used as the result for clients that match the authz condition of non-compliant?

As a next step I also did install the updates manually, but the Client still gets stuck in a NonCompliant state, thus not changing to compliant state even after installing the updates.

-What are you using post patching to allow the client to get out of the non-compliant state via a new assessment? Do you have the 'Scan Again' button enabled in the AC posture UI? This would allow end user to manually trigger the probe which would end up re-assessing the end client post patching.

Hi @Mike.Cifelli 

 

Were is the "Scan Again" located? I don't see it in the AC GUI?! Can I enable it in ISE somewhere, so when AC its downloaded, its enabled automatically!?

 

Thank you,

Laura

Mike.Cifelli
VIP Alumni
VIP Alumni

The scan again feature is a setting that is enabled/disabled in the ISEPostureCFG.xml that gets deployed to clients.  This is configured in ISE under: Policy->Policy Elements->Results->Client Provisioning->Resources.  On windows clients this config file is found here: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

 

Within the xml profile the tag is this (if enabled): <EnableRescanButton>1</EnableRescanButton>

 

ISE posture UI will look like this when enabled:

pos_ui_scan_button.PNG

 ISE admin UI profile setting:

ise_pos_cfg_scan_button.PNG

 

This allows manual intervention if desired.  HTH!

Hi @Mike.Cifelli 

 

That's exactly what is was :). Amazing how you could identify the reason right away. Thank you for your support. 

 

 

 

Best wishes,

Laura

How is this a solution?  It just states where to look but not how to enable this feature, other than on the xml file.  Changing that part will probably corrupt the file and therefore make it unusable.

I haven't done posturing yet so you've got me curious. I think this is what they're talking about above, see this Charlie Moreton / timestamp 02-14-2017 05:27 am05:27 AM post. It starts with the below.  On that page in my lab ISE v2.7 system, I can see the option to set "Enable Rescan Button", and it is disabled by default.

Navigate to Policy > Policy Elements > Results > Client Provisioning > Resources and download the Compliance Module you will use.  Upload the AnyConnect software here and then create and ISE Posture Profile by clicking the +Add button and selecting NAC Agent or AnyConnect Posture Profile.  Upload any other AD Modules you will use here, as well.

Regards,
David