cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5327
Views
0
Helpful
6
Replies

Cisco ISE Posture no policy server detected

jewfcb001
Level 4
Level 4

Hi All ,

I found the the issue ISE Posture no policy server detected . I try to find the topic on community and found the same issue with me but I try to many method to fix the issue example . fix  discovery host / call-home list . but still facing the issue . 

 

Noted : I configure ASAv for Anyconnect VPN  with ISE Posture . 

 

Please advise me . 

 

123.JPG

 

6 Replies 6

marce1000
VIP
VIP

 

 FYI : https://community.cisco.com/t5/network-access-control/ise-no-policy-server-detected/td-p/3883122

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

@marce1000 

I try to following this topic but still facing the issue. 

jewfcb001
Level 4
Level 4

Hi All , 

I try to  use DART and get some log and I see about why client request http to gateway  *192.168.10.1* of client not request URL from redirect from ISE authorization. 

 

 

======================================================================

2021/03/24 17:00:35 [Information] aciseagent Function: Target::fetchPostureStatus Thread Id: 0x644 File: target.cpp Line: 407 Level: debug POST request to URL (https://enroll.cisco.com:8905/auth/ng-discovery), returned status -1 <Operation Failed.>.
2021/03/24 17:00:35 [Information] aciseagent Function: Target::Probe Thread Id: 0x644 File: target.cpp Line: 201 Level: debug Status of Ng-Discovery target enroll.cisco.com with path /auth/ng-discovery is 6 <Not Reachable.>.
2021/03/24 17:00:37 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0x1664 File: hs_transport_winhttp.c Line: 4808 Level: debug unable to send request: 12002.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0x1664 File: target.cpp Line: 250 Level: debug GET request to URL (http://192.168.10.1/auth/discovery), returned status -1 <Operation Failed.>.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::Probe Thread Id: 0x1664 File: target.cpp Line: 201 Level: debug Status of Redirection target 192.168.10.1 is 6 <Not Reachable.>.
2021/03/24 17:00:37 [Information] aciseagent Function: hs_transport_winhttp_get Thread Id: 0xDDC File: hs_transport_winhttp.c Line: 4808 Level: debug unable to send request: 12002.
2021/03/24 17:00:37 [Information] aciseagent Function: Target::probeDiscoveryUrl Thread Id: 0xDDC File: target.cpp Line: 250 Level: debug GET request to URL (http://192.168.20.1/auth/discovery), returned status -1 <Operation Failed.>.

Mike.Cifelli
VIP Alumni
VIP Alumni

I found the the issue ISE Posture no policy server detected . I try to find the topic on community and found the same issue with me but I try to many method to fix the issue example . fix  discovery host / call-home list . but still facing the issue . 

A few items to check that typically cause this issue:

-Are you attempting to redirect or do redirection-less posturing?

-If redirecting are you allowing connectivity to Portal in dacl?

-If no redirect, do you have an ISEPostureCFG.xml here C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture? Without redirect setup OR no ISEPostureCFG file this notice appears in AC UI.  The redirect will allow you to hit provisioning portal in which ISE will then push down the respective XML files to unprovisioned/new clients.  For redirection-less provisioning use the profile editor and either manually deploy the file to unprovisioned clients OR rely on SCCM maybe.   

See here for guide: ISE Posture Prescriptive Deployment Guide - Cisco Community

HTH!

@Mike.Cifelli 

 

-Are you attempting to redirect or do redirection-less posturing?

 You mean try to manual url: https://ip-ise:8443 or not ?

-If redirecting are you allowing connectivity to Portal in dacl?

  I not configure dacl on ise 

 

Mike.Cifelli
VIP Alumni
VIP Alumni

You mean try to manual url: https://ip-ise:8443 or not ?

-No.  What I meant was that you dont necessarily have to have the portal redirect in order for posture to work.  You can pre-deploy the ISEPostureCFG.xml file to clients so that the module is able to reach ISE without the need of redirect. 

I not configure dacl on ise

-I assume if testing/using redirect that in your ISE authz profile you have the portal assigned with a dacl to assign to sessions.

I would recommend taking a peek at the link I shared above to understand options/workflows.  Also, have a peek at labminutes.com/video/sec for free tutorials. HTH!