Solved: Re: No Policy Server Detected - ISE 2.4 Patch 7

ISENAC1122 · ‎12-20-2019

Running with ISE 2.4 with patch 7 and AnyConnect 4.7

We are facing some issue endpoints with No Policy Server Detected message in Any Connect and on ISE Live logs its showing Posture Unknown.

Endpoint are able to Ping ISE Server as well host name, also able to resolve enroll.cisco.com

Dot1x is is successfully happening for endpoint, redirection is also working, posture status is showing Pending under Live Session on ISE.

what are the troubleshoot steps should i follow to resolve this issue?

Mike.Cifelli · ‎12-20-2019

If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

View solution in original post

agrissimanis · ‎12-20-2019

When you say that redirection is working, how did you verify that? Have a look at this guide- https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html.

In summary, the ACL should make sure that DNS and traffic to PSNs is not redirected, everything else is. The logic to achieve this is different on switches and WLCs. On switches, traffic that is permitted by the redirect ACL is redirected. On WLCs, traffic that is denied by the redirect ACL is redirected.

Mike.Cifelli · ‎12-20-2019

If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

Jason Kunst · ‎12-20-2019

@Mike.Cifelli wrote:
If connectivity between your client and ISE is there then this sounds like a possible config issue in ISE. I would double check your posture agent profile settings (Policy->Policy Elements->Results->Client Prov->Resources). In here you can configure either the 'discovery host' or 'call home list'. Once verified, something else to consider is usually if the config is setup properly and you see 'Bypassing Anyconnect Scan. Network is configured to use NAC Agent' in the System Scan tray this means that your client is not matching configured conditions in your client prov policy. See here for full blown guide:
https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273

There are videos and other resources and sources out there as well. If all else fails contact the TAC

ISENAC1122 · ‎12-24-2019

@Mike.Cifelli thank you very much for information.