01-23-2025 01:22 AM
Hi everyone,
I'm facing some challenges while configuring Posture with closed mode and an IBNS 2 setup.
First, is it possible to perform posture checks in closed mode?
How did you manage port configuration and ACL/DACL settings?
My configuration seems to be working, but the PC never connects when booting while already plugged in.
Thanks for your help!
01-23-2025 01:26 AM
But as I know posture not work with close mode you need low impact mode allow some traffic between client and ISE after posture success the client will get full access
MHM
01-23-2025 01:39 AM
@David-IT yes you can perform ISE posture in closed mode, you just need to ensure the devices pass authentication - so ensure you have run monitor mode for a period.
Typically posture is only run when the user logins in, not when the computer is authenticating. What authorisation policy rules do you have configured?
You use the ACL pre-configured on the switch if you redirection based posture or use the redirectionless method, then you don't need the ACL. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc7
Yes, the DACL is applied post authentication. You can apply a different DACL, depening on whether the device is compliant or non-compliant.
Having multiple VLANs is an administrative overhead. I would typically rely on the switchport to define the VLAN, if you wish to restrict access then push down the DACL or use SGTs depending on posture compliance.
01-27-2025 07:42 AM
Everything works well, especially when I disconnect the cable.
The ACL, web browser pop-up, and all checks confirm that everything is functioning correctly.
However, the main issue arises when I start the PC.
In this situation, the automatic check does not run, and even when I try to manually trigger the checks through the browser, I have error with agent is not detected.
01-27-2025 07:47 AM
@David-IT what policies have you configured? For computer / users etc - provide screenshots.
What is the state of "show authentication session interface gig x/x/x detail" when it fails and when it does work?
01-30-2025 01:20 AM
I get the error: "Cisco ISE unable to detect AnyConnect posture agent." on the workstation
Strangely, everything works fine after a shut/no shut action on the port. However, on the first boot, it fails at the switch redirect and doesn't let me pass this first step.
Thanks for your help.
ISE Version: 3.4
ISE Secure Client: 5.1.7.80
Extended IP access list ACL_REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host <cisco ise ip address>
40 permit tcp any any eq www
50 permit tcp any any eq 443
60 deny ip any any
02-02-2025 11:22 PM
After some troubleshooting, I discovered that my laptop was making two authentication requests during a cold boot. Although both requests used the same RADIUS username, the identities in the logs were different—one was hostname@domain.com and the other was host/hostname@domain.com.
I eventually disabled both options (Stateless Session Resume and EAP-TLS Session Resume), and the authentication became unique after a cold boot. Only one request, hostname@domain.com, remained, and the issue was resolved.
Any thoughts on what might have caused this?
02-03-2025 10:15 AM
I think the host/hostname@domain.com would come first because that would be belonging to the machine authentication and the hostname@domain.com would belong to the user authentication. The TLS session resume might have allowed ISE to use the cached information from the previous session, but tbh I don't think you should change turn off that. How did you configure the NIC for dot1x? and how ISE policies are configured? are you doing dot1x for both machine and users?
02-05-2025 03:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide