cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4735
Views
5
Helpful
4
Replies

No Policy Server Detected - ISE 2.4 Patch 7

ISENAC1122
Level 1
Level 1

Running with ISE 2.4 with patch 7 and AnyConnect 4.7

We are facing some issue endpoints with No Policy Server Detected message in Any Connect and on ISE Live logs its showing Posture Unknown.

Endpoint are able to Ping ISE Server as well host name, also able to resolve enroll.cisco.com

Dot1x is is successfully happening for endpoint, redirection is also working, posture status is showing Pending under Live Session on ISE.

what are the troubleshoot steps should i follow to resolve this issue?

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

View solution in original post

4 Replies 4

agrissimanis
Level 1
Level 1

When you say that redirection is working, how did you verify that? Have a look at this guide- https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html.

In summary, the ACL should make sure that DNS and traffic to PSNs is not redirected, everything else is. The logic to achieve this is different on switches and WLCs. On switches, traffic that is permitted by the redirect ACL is redirected. On WLCs, traffic that is denied by the redirect ACL is redirected.

Mike.Cifelli
VIP Alumni
VIP Alumni
If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273


@Mike.Cifelli wrote:
If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

There are videos and other resources and sources out there as well. If all else fails contact the TAC

@Mike.Cifelli  thank you very much for information.