This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am doing a Wireless ISE Anyconnect posture using compliance module 4x... Can anyone tell me how ISE Gets to know the status of the device is Unknown? Which area & which information it is looking for to mark the device as posture unknown.
I know after any connect scan the supplicant, ISE knows if it is compliant or non-complaint. But how Does ISE know if the posture status is unknown to present the posture portal to the user? Is it checking in any endpoint registry store or any local folder in the device?
And one more thing once the device is marked as complaint and I am getting access to network .even if I disconnect the WIFI and connect again it automatically makes it as complaint without any scan until I manually disconnect the COA from ISE PAN.
Please reply the exact process happening here I have attachced a screenshot of policy set..
Hello Mike, Thank you very much for the reply but my question is still unclear. Please go through the following example for a better understanding.
1 : John is an employee he clicks on his wifi SSID by selecting his user certificate which was pushed via GPO -))))
2 : ISE AAA Policy get a hit
3 : ISE checks the cert common name with AD and proceed to Authorisation profile.
4 : ISE Pick the Posture Status Unknown & present the provisioning portal.
So here as you seen there is no agent involved then how ISE got to know that the device has not done any posture check then how ISE understand that device has not done any posture assessment ....This is what I want to know.
Note: We have a firewall requirement configured for Users but this check is only done in phase 2 as below.
5 : ISE present the provisioning portal to the client
6: client download and install any connect
7 : Posture scan start and look for firewall requirement
8: Complaint = permit access or Non-complaint = deny access.
See in phase 2 the machine has a tool which checks and report to ISE about posture but in phase 1 who is reporting to ISE.
I think the easiest way to know the 3 different states is the way I see it working. Basically if a device connects and ISE doesn't have it in it's endpoint list, then it's going to be an unknown device and will start to use what is available to figure out as much as it can for use in the policies.
So, Joe logs in for the first time on wireless. ISE gets the request and now has to figure out what is connecting so it can deal with it properly. Through profiling info, it figures out it's a PC sending it through your posture rules. As it is a new device, it knows it has not seen a posture check, so it is unknown for posture just like it was unknown at the start. This should send it to your redirect portal for AnyConnect install and check.
For us this is an onboarding limited network that unknown and non-compliant devices go until they are compliant. Once AnyConnect is installed, and the check comes back compliant, it should re-run the rules and hit your compliant based rules(s)
But, for me, the easiest way to think of how it is unknown is if there is no existing endpoint under content visibility/endpoints. If there is an endpoint, there should only be compliant/non-compliant based off the time settings for recheck.