Solved: Re: ISE Posture - No Policy Server Detected

SecurityJumbo · ‎06-24-2023

Hello guys,

I'm deploying the ISE posture policy and I run into the AnyConnect Posture return "No Policy Server Detected" as shown below.

The switch and machine are able to reach to the ISE ip and dns name.

I created the ISEPostureCFG.xml file and save it at "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\"

The ISE AnyConnect Profile

I configured the Client Provisioning, Policy Element, Posture Policy and Policy Set.

Maybe there is a config missing or incorrect, not sure where I start to troubleshoot. Please assist me on this issue.

SecurityJumbo · ‎06-30-2023

Okay, I knew it there is something in the switch. I used another switch and the URL redirecting works fine.

View solution in original post

Nancy Saini · ‎06-25-2023

Check if redirection is working on the client when it connects to the network. Open browser and type any website and see if the URL is getting changed to client provisioning portal URL (sent from ISE). If no, then check redirect ACL defined on the switch and check if the redirect URL is seen on "show authentication session int gig <id> detail" output.

Aref Alsouqi · ‎06-25-2023

I would recommend generating the DART bundle on the machine and look at AnyConnect_ISEPosture.txt file. The file would show you the reason why it can't detect the PSN.

SecurityJumbo · ‎06-25-2023

Hello @Nancy Saini

The 8021x radius is successful and the ACLs applied as well. The host is matching the right policy and I see the Posture is pending in the Live Logs. The problem is when the authentication and authorization are done, I tried to browse anything in the host and nothing happened from the Redirection Action.

Also, I tired to browse the Redirection URL manually, and I got this error below.

But I noticed the Redirection URL returns error when I try it manually

ammahend · ‎06-25-2023

in the redirect acl add at top and try

deny ip any host <ise ip>

also make sure ip http secure-server is configured.

-hope this helps-

SecurityJumbo · ‎06-26-2023

@ammahend I did update the Redirection ACL. But the "ip http secure-server" command is not available on the virtual switch that I'm using.

The issue still there and not sure what else I need to check.

ammahend · ‎06-26-2023

ok, I am assuming device already has IP and everything and able to resolve DNS, and Promiscuous Mode is enabled on the vswitch, lets try this, under common task where it says, "static IP/Host" put the IP address of the PSN where you are redirecting and try the url with IP instead of FQDN again few times

Parallel start a TCP Dump on ISE under troubleshooting/diagnostics tool on the same PSN, share the capture, lets see see how ISE response when the page is accessed.

-hope this helps-

SecurityJumbo · ‎06-26-2023

@ammahend you are right the device has ip address and already passed the authentication and authorization policies.

I attached the ISE Tcpdump as requested.

ISE Ip = 192168.10.111

Supplicant ip =192.168.10.51

Jump host ip = 192.168.10.5

ammahend · ‎06-26-2023

either something is not captured right or fundamentally configuration is not correct. I don't even see any redirect traffic on ISE in capture.

follow these guides and make sure your config is correct, these are old but relevant.

https://community.cisco.com/t5/security-knowledge-base/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId-61739320

https://www.labminutes.com/sec0279_ise_22_posture_assessment_anyconnect_client_1

-hope this helps-

SecurityJumbo · ‎06-27-2023

@ammahend and everyone else, I have checked current configuration and it looks good. It is either the switch or ISE not applying the Redirection action.

I tested the Portal URL and it is good. The "ip http secure-server" applied as well. Please let me know if you know anything else I need to check

ammahend · ‎06-27-2023

so earlier when you accessed the URL page manually it was not reachable, now it is reachable ?

but its just that client is not redirecting to provisioning portal automatically or even after opening a browser, correct ?

Also confirm if the client is trying to get redirected and ISE page is not loading or not even trying to get redirected ? based on REDIRECT ACL hits seems like its trying to redirect but page not loading, may be an MTU issue.

-hope this helps-

joseph.a.harman2.ctr@mail.mil · ‎10-23-2023

I know this post is old but "ip http secure-server" doesn't work for URL redirect during posturing in my experience. You need "ip http server." I also recommend adding the supplemental command, "ip htp active-session-modules none" unless you manage your switches via WebGUI.

Also, the ACL someone posted earlier was incorrect. You don't need to allow ISE and DNS traffic within the redirect ACL. The redirect ACL is not a traditional security ACL; it is only telling the switch which traffic to redirect, not which traffic is actually allowed or disallowed. Try a redirect ACL like this:

Extended IP access list REDIRECT_ACL
10 permit tcp any any eq www
20 deny ip any any log-input

SPKV · ‎06-27-2023

Has this problem been fixed yet?

SecurityJumbo · ‎06-27-2023

@ammahend Thanks for the information. Let me clarify with more details:

When I click on the Portal Test (In the Portal setting page), the page is loading fine.

But when I copy the Redirection URL from the logs (Live Logs), it returns error "400 [Bad request]" as shown above.

I agree with you that the traffic is matching the Redirection ACL and I'm allowing all traffic in the DACL currently, but the client is not trying to open/load the Redirection URL a all. I tried to go some websites in the browser (I used different browsers), but nothing happened.

Not sure if I missed a configuration or maybe this is a virtual lab issue..

ammahend · ‎06-28-2023

based on auth details, your config seem good enough to redirect atleast, i am hoping there is no upstream firewall or acl (shoukd be able to ping ise from client) if so forget about posture for a min, if you did a simple hotspot guest portal can you redirect ?

also make sure to removed any custom logos and banner image from the portal customization page if you have any.

-hope this helps-