Solved: Re: The Cisco ISE 2.7 wired posture is compliant in the AC, but the switch is still in an unknown st...

msrfares84 · ‎04-13-2021

Hi,

After I configure the posture with "call home" to detect the PSN servers, the wireless can detect the PSN and check the compliance and the COA is working properly, the endpoint goes from unknown (Redirect URL) to compliant. For the wired, the endpoint is showing that it is compliant, but the switch and ISE are still in an unknown posture (Redirect URL).

After I click on the AC profile again, the endpoint status changes to compliant for the switch and ISE server, and I can browse successfully.

Any suggestions?

msrfares84 · ‎04-14-2021

Thank you for your support.

The issue has been fixed. The CoA UDP 1700 was blocked from the firewall.

View solution in original post

Marcelo Morais · ‎04-13-2021

Hi,

please check the status of your Endpoint at Work Centers > Posture > Reports > Reports > Posture Reports > Posture Assessment by Endpoint ... it is Compliant?

msrfares84 · ‎04-14-2021

It is showing compliant. Check the attached file.

Marcelo Morais · ‎04-14-2021

Hi,

perfect ... now use a TCP Dump (Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump), use the filter ip host <NAD IP Addr>, to check if you are sending the CoA.

Note: I'm assuming that your Unknown and Compliant Policy is correctly configured.

msrfares84 · ‎04-14-2021

Thank you for your support.

The issue has been fixed. The CoA UDP 1700 was blocked from the firewall.

The Cisco ISE 2.7 wired posture is compliant in the AC, but the switch is still in an unknown state, stuck in a redirect URL.