Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
4
Replies

Posture Assessment passed in Error using Cisco ISE

Go to solution
marioderosa2008
Level 1
Level 1

‎04-29-2013 06:54 AM - edited ‎03-10-2019 08:22 PM

Hi all,

I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.

We have 2 mandatory posture requirements,

1. Symantec Av MUST be installed

2. the AV definitions MUST be LESS THAN 28 days out of date

Currently, the machine I have is showing the AV defs as being 25th March 2013.

When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!

Is there anything else I can check on the ISE to help debug this?

Mario              

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4
In response to marioderosa2008

‎04-30-2013 06:06 AM

Hi,

You might have two problems:

1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.

2. NAC Agent version problem?

I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.

Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.

Check

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131

 Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) 
 Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. 
 Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. 
 Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marioderosa2008
Level 1
Level 1

‎04-29-2013 07:06 AM

                   Attached are exports of the authenticvation session pre-posture & post-posture & also the full posture report from the Cisco ISE.

15359295-post posture export.txt.zip
0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to marioderosa2008

‎04-29-2013 08:05 AM

one thing i have noticed is that this particular laptop is not being profiled correctly. Its endpoint group is "Unknown" whereas a majority of all our Windows machines get profiled properly as "WorkStation".

I have compared the RADIUS output on the ISE for a working laptop and this not working laptop and there is no difference in terms of the attributes listed in the output.

I understand that in order to hit the built in profiling rule for windows 7, the User Agent Attribute must contain "Windows NT 6.1".

How can I find out on my windows machine what is contained in the attribute? can the NAC agent help provide me with this information? or the Windows registry perhaps?

thanks

Mario

0 Helpful

Go to solution
Octavian Szolga
Level 4
Level 4
In response to marioderosa2008

‎04-30-2013 06:06 AM

Hi,

You might have two problems:

1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.

2. NAC Agent version problem?

I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.

Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.

Check

http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131

 Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) 
 Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. 
 Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. 
 Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.
0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to Octavian Szolga

‎04-30-2013 03:20 PM

Thanks mate!!

I think the NAC agent version is the issue. I wonder why that is why our NAC agent customisation packages aren't working too!!

0 Helpful
Customers Also Viewed These Support Documents