ISE 2.6p3 Posture Policy Details report No data found

AB_2802 · ‎12-23-2019

Hi all,

this post to explane my problem with "Posture Assessment by Endpoint" (Posture Policy Details section).

Our LAB policy deployment is built for mainly 2 kind of endpoints: Corparate laptop and Unmanaged laptop

We built posture policies based on Anti-Malware condition that correctly matches.

In attachement 2 captures of resulting report of carporate and unmanaged PCs.

-> My problem is that I cant understand why there are no Posture Policy Details in reports generated for unmanaged PCs. Instead report for corporate PCs are complete of matched posture conditions / skipped or failed.

For unmanaged PCs we only match ANY AntiMalware installed and ANY AntiMalware defined. I already tryed to match punctually the default Windows AM (Win Defender). It was matching correctly but still no details in posture report.

Any suggestion?

Regards and happy holidays

Andrea

Francesco Molino · ‎12-23-2019

Hi

Can you share the configuration of your ise to see how unmanaged pc are forced to do posture?

On anyconnect client for unmanaged pcs, do you have a posture result?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AB_2802 · ‎12-24-2019

Thanks Francesco for your interest,

here I attach for you some of required screen-captures.

Hope it's enough.

regards,

Andrea

Jason Kunst · ‎12-24-2019

It would be nicer if you didn't attach but instead inserted the images so we can see easily. Otherwise we have to click through one by one. you can edit your post

AB_2802 · ‎12-25-2019

Done

Andrea

Francesco Molino · ‎12-26-2019

On your anyconnect client, for unmanaged devices, do you see the results of all requirements?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AB_2802 · ‎12-27-2019

When connecting with an unmanaged pc, the anyconnet client only shows me that I'm compliant.

I'm matching for sure all conditions in my requirements because of the AND operator between them:

abc_Unmanaged_Windows_AM_Installation & abc_Unmanaged_Windows_AM_Definition

I add here some details from a debug I made.

	Attribute:AMInstalled	 value:Windows Defender\;4.18.1902.5\;1.307.1230.0\;12/27/2019\;
	Attribute:BYODRegistration	 value:Unknown
	Attribute:DeviceCompliance	 value:Compliant
	Attribute:DeviceRegistrationStatus	 value:NotRegistered
	Attribute:EndPointPolicy	 value:Unknown
	Attribute:EndPointPolicyID	 value:
	Attribute:EndPointSource	 value:RADIUS Probe
	Attribute:IdentityGroup	 value:
	Attribute:IdentityGroupID	 value:
	Attribute:IpAddress	 value:xxxx
	Attribute:MACAddress	 value:#My_MAC_Address#
	Attribute:MacAddress	 value:#My_MAC_Address#
	Attribute:MatchedPolicy	 value:Unknown
	Attribute:MatchedPolicyID	 value:
	Attribute:MessageCode	 value:8700
	Attribute:NetworkDeviceGroups	 value:Location#All Locations#xxxx#xxxx#xxxx#xxxx
	Attribute:NmapSubnetScanID	 value:0
	Attribute:OUI	 value:Liteon Technology Corporation
	Attribute:OperatingSystem	 value:Windows 10 Professional 64-bit
	Attribute:PRAAction	 value:N/A
	Attribute:PRAEnforcementFlag	 value:false
	Attribute:PRAGraceTime	 value:0
	Attribute:PRAInterval	 value:0
	Attribute:PolicyVersion	 value:0
	Attribute:PortalUser	 value:
	Attribute:PostureAgentVersion	 value:AnyConnect Posture Agent for Windows 4.8.01090
	Attribute:PostureApplicable	 value:Yes
	Attribute:PostureOS	 value:Windows 10 Professional 64-bit
	Attribute:PostureStatus	 value:Compliant
	Attribute:RequestTime	 value:1577447567869
	Attribute:ResponseTime	 value:1577447567896
	Attribute:SessionId	 value:be191d0a0003cfafc6e6055e
	Attribute:StaticAssignment	 value:false
	Attribute:StaticGroupAssignment	 value:false
	Attribute:SystemDomain	 value:xxxx.local
	Attribute:SystemName	 value:PC-NAC
	Attribute:SystemUser	 value:xxxx
	Attribute:SystemUserDomain	 value:xxxx
	Attribute:Total Certainty Factor	 value:0
	Attribute:UserAgreementStatus	 value:NotEnabled
	Attribute:UserName	 value:xxxx
	Attribute:operating-system-result	 value:Windows 10 Professional 64-bit
	Attribute:SkipProfiling	 value:false
....
	Attribute:BYODRegistration	 value:Unknown
	Attribute:DeviceCompliance	 value:Compliant
	Attribute:DeviceRegistrationStatus	 value:NotRegistered
	Attribute:EndPointProfilerServer	 value:xxxx
	Attribute:EndPointSource	 value:RADIUS Probe
	Attribute:MACAddress	 value:#My_MAC_Address#
	Attribute:MessageCode	 value:8700
	Attribute:NmapSubnetScanID	 value:0
	Attribute:OUI	 value:Liteon Technology Corporation
	Attribute:PolicyVersion	 value:0
	Attribute:PortalUser	 value:
	Attribute:PostureApplicable	 value:Yes
	Attribute:PostureOS	 value:Windows 10 Professional 64-bit
	Attribute:PostureStatus	 value:Compliant
	Attribute:UserName	 value:xxxx
	Attribute:operating-system-result	 value:Windows 10 Professional 64-bit
	Attribute:SkipProfiling	 value:false

Andrea

Francesco Molino · ‎12-29-2019

Your anyconnect must show all policies requirements executed. Can you validate this?
Also on your live logs, you should see 1 log at first taking the unknown authorization policy and then a 2nd log for compliant. Can you confirm?
If that's the case for both questions, then i would suggest you open a tac case.
I don't have right now an ise 2.6 with posture configuration. I can try to build one but it's going to take few days after new year eve.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AB_2802 · ‎01-02-2020

Hi,

nope, I cannot validate your assumpion. On AC Secure Mobility Client installed on coparate and unmanaged PCs using the same versione (4.8.01090), we have no evidence of posture rules or requirements matched during posture process, also clicking on the little gear in AC window, no useful details are provided for this.

Instead I can confirm you that ISE assigns me a temporary NotCompliant or Pending posture status (for both coparate and unmanaged), than posture check runs, I get confirmation that all PCs are compliant and generates its internal posture report (still only missing details for unmanaged PCs)

Could there be maybe something on clients blocking the "GET" of these infos?

Because the distinction is very clear: managed posture detail OK (not admin, win10, AC installed via SCCM)

unmanaged posture detail N/A (admin/not admin, win10, AC installed via ClienProvis.)

Maybe something related to XML files generated in the AC installation folders..

Thanks

Andrea

Jason Kunst · ‎01-02-2020

I'd recommend calling TAC might be too involved here to get what you need accomplished.

hslai · ‎01-18-2020

Please ensure the condition you are trying to match as unmanaged in ISE posture policies is also present in authorization policy rule to match the unmanaged devices. Otherwise, ISE posture would not be able to use it.

AB_2802 · ‎01-17-2020

Hello,

did you kindly find the tiime to replicate or any other advice?

Thank you

Andrea

Francesco Molino · ‎01-19-2020

I didn't had time yet to prepare the lab.
I'm sorry, few customer projects taking some time.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question