06-06-2018 07:53 AM - edited 02-21-2020 10:57 AM
We currently have a windows 10 VM running on an ESXi host (6.5.0 Build 4564106) that we're intending on using for 802.1X testing. We have a need to be able to recreate NAC issues remotely so we're trying to configure this VM as a normal wired client that we'll have remote console access to should we need to troubleshoot/reproduce dot1X issues remotely. Everything appears to be working with the exception of posturing. The VM is authenticating with ISE but AnyConnect is not detecting a policy server and ISE is reporting posturing unknown.
ISE version is 2.2. AnyConnect version 4.4. The vmnic on the ESXi host is not tagged with a VLAN ID (set to 0) and the switchport that the vmnic is connected to is configured as follows:
switchport access vlan 136
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 136
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Connectivity is working just fine, just not posturing or compliance checks. Any help with this issue is greatly appreciated.
Solved! Go to Solution.
06-12-2018 06:48 AM
This issue has been resolved. There was no ACL on the switch redirecting posture-unknown devices to the ISE servers. Once the ACL was in place, the VM was able to detect the policy servers.
06-06-2018 11:37 AM
Let's start with the client, do you have the following installed?
1. AnyConnect NAM
2. AnyConnect ISE posture module
3. AnyConnect ISE compliance module
4. ISEPostureCFG.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture
Do you also have a properly configured ISEPostureCFG.xml?
Did you create your own file or use the template in ISE? Found in Policy > Policy Elements > Results > Client Provisioning > Resources > Add > NAC agent or AnyConnect Posture Profile
This is a good place to start considering it already authenticates with your ISE.
06-06-2018 12:05 PM
1. AnyConnect NAM: Not installed, using native supplicant.
2. AnyConnect ISE posture module: Installed, using version 4.4.03034
3. AnyConnect ISE compliance module: Not installed yet because the client has yet to talk the policy server. As I understand it, this module gets installed during the first communication with the policy server.
4. ISEPostureCFG.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture: Yes there is a valid .xml here. I copied it from a known working host.
I'm fairly confident the xml was created using the template in ISE. Not 100% sure though as the xml was in use before I began working on this system.
-Kevin
06-12-2018 06:48 AM
This issue has been resolved. There was no ACL on the switch redirecting posture-unknown devices to the ISE servers. Once the ACL was in place, the VM was able to detect the policy servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide