ISE no-redirection posture-portal customization

sudheere · ‎01-16-2019

I am deploying ISE for a large customer. I use ISE 2.2 and posture method is no-redirect. I used call-home which lists all 5 PSN nodes separated by comma. The deployment is working fine but some computers remain in posture-unknown state on daily basis. I read in below article that if we use no-redirect method, CPP(portal) should be customized. The FQDN in default CPP is showing posture.xxx.com which is presently not resolving to any IP. Whether A record has to be created to resolve posture.xxx.com to all PSN nodes. I don't find any document explaining this.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html#anc9

For posture without redirection, configuration of client provisioning portal has to be edited. Navigate to Administration > Device Portal Management > Client Provisioning. You can either use default portal or create your own. Same portal can be used for both posture with and without redirection.

paul · ‎01-17-2019

For the ones that are stuck in Unknown what does their Posture Module say? Policy server not found? That would indicate an issue finding the PSN to report posture to. I always use the redirect method so can't comment too much on the Call Home setup.

paul · ‎01-17-2019

Also how are you ensuring that all the devices are getting the posture config XML file that contains the call home servers? Have you validate the machines that aren't working have the correct XML file? When you use the redirect method you don't have to rely on any XML file to find the PSN to report posture to, but when you use Call Home the file needs to be there and correct.