Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3532
Views
0
Helpful
3
Replies

Cisco ISE - Posture Issues

pgiouvanellis
Level 1
Level 1

‎03-15-2020 07:16 AM

Hello Everyone ,

I am facing an issue trying to implement Posturing in a customer's enviroment .

Below are the details of the customer's network and the implementation i have done until know.

 

The endpoints are in vlan 100 , the switch that endpoints are connected does not have svi in vlan 100
but on management vlan which is vlan 50 .

 

The gateway of the endpoints is a vlan interface which is on Fortigate Firewall .

 

We use anyconnect posture agent and we have manual create ISEPostureCFG.xml profile where
we have assigned the domain names of ISE Nodes ( we have 2 nodes with PAN,MnT and PSN personas )
to Call Home List .

 

The issue that i am facing is that the end point agent is not able to retrieve configuration from ISE
and finally get message "Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent."

 

Using the Dart Tool from endpoint i get the below erros : "Failed to retrieve http header X-ISE-PDP-WITH-SESSION."

I attached more logs from DART .

I tried to implement Posture with DACL and ACL Redirect but yntil know no obvious reason from not getting the agent run properly.

 

On firewall side not see any deny/block logs .

 

Has anyone faced the same problem with firewall in the middle of communications .

 

Please for any help if possible .

Thank You ,
Palaiologos

1 person had this problem
Preview file
20 KB
0 Helpful
3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

‎03-15-2020 08:20 AM

Hi,

 

   By looking at the logs, there looks to be connectivity with ISE, and afterwards you have those 'error' messages to call it this way. So i see two options, without having too much details on the configuration and used software:

          - ensure your posture is properly configured on ISE, as the messages tend to say otherwise (like the Anyconnect agent and profiles are not found in ISE policy): https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

          - ensure you apply the latest patch available to ISE for the version you're running, also try a stable version of Anyconnect, to avoid bugs; for example this looks similar to your setup: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvo28970

 

Regards,

Cristian Matei.

0 Helpful

pgiouvanellis
Level 1
Level 1
In response to Cristian Matei

‎03-15-2020 08:44 AM

On ISE side i have configure a Client Provisioning Policy like described below : 

 

- First download and upload to ISE the anyconnect package .

- Upload Compliace module 

- Create a Posture Profile

- Create Anyconnect Configuration 

- Create Client Provisioning Policy as the image i upload

 

i also though that maybe i am not hitting the cpp but for this i tried to Other Conditions to import a condition that 

matches the endpoind Radius-Calling-Station-ID to be sure that i will match to this policy but no luck .

 

Thanks .

 

 

 

 

Preview file
14 KB
0 Helpful

MatthewShaw4644
Level 1
Level 1

‎05-22-2020 11:47 AM

I ran into this same error message, but in my case the problem was that none of my Client Provisioning Policies were matching.  I had made an error in the External AD Groups selection for the EP.

I swam around in circles making sure my result didn't have a Temporal Agent in it....  but I guess that is some default when all your provisioning policies fail.  Once I corrected that problem the posture module popped right up and downloaded the AC Configs.

 

**ISE 2.4 Patch 9, AC 4.8.3052 with ISE Posture module, wired dot1x.

0 Helpful
Customers Also Viewed These Support Documents