cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

661
Views
4
Helpful
2
Replies
Highlighted
Cisco Employee

ISE posturing delay - SCCM

I have a problem with ISE posturing at one of my customers (a bank), actually the problem is with SCCM and Windows DHCP server but affecting posturing capabilities.

What is happening: they want to assess if a customer has Esset AV installed or not. If not, they only leave access to the page where they published the software and this is done through SCCM. In order to do so, if I understood correctly (I’m not a Windows expert J ) the machine needs to present itself with the DNS entry of the machine. When trying to do the mapping in the DHCP server (IP – name) there is a unique ID which identifies this mapping. However this mapping apparently takes a long time, between 5 and 15 minutes. The windows team said this is because the unique ID is very long and it takes this time to process it. Of course, posturing times out and it won’t work anymore (and neither the experience for the employee is pleasant to wait this long).

Any ideas?

thanks,

Ioana

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Ioana,

I think Vince is correct.

See our How To: Universal IOS Switch Config for ISE, Step #20 & 21 for the DHCP Helper configuration.

The only other suggestion I can think of is to ensure you have allowed any required ports & IPs for in the Quarantine ACL to include DNS, DHCP, NTP, and anything required for SCCM and Eset services.

View solution in original post

2 REPLIES 2
Highlighted
Contributor

Ioana-

Do you have the dhcp helper  on the switch SVI pointing to ISE as well as the windows DHCP server?  The info from DHCP helps profile the endpoint which will then enabling posturing to start by using the correct endpoint ID.

Vince

Highlighted
Cisco Employee

Ioana,

I think Vince is correct.

See our How To: Universal IOS Switch Config for ISE, Step #20 & 21 for the DHCP Helper configuration.

The only other suggestion I can think of is to ensure you have allowed any required ports & IPs for in the Quarantine ACL to include DNS, DHCP, NTP, and anything required for SCCM and Eset services.

View solution in original post