Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7330
Views
40
Helpful
19
Replies

[ISE] Posture Status - Not applicable

Patrick Tran
Level 1
Level 1

‎03-07-2012 07:42 AM - edited ‎03-10-2019 06:53 PM

Hi,

I configured WiFi Guest Access with WLC and ISE and it works great.

Now I want to check client posture.

I configured a posture policy

posture_policy.PNG

On Windows7 client, I installed NAC client. With network sniffer, I can see SWISS protocol (TCP 8905) between client and ISE.

In authentications log, Posture Status is always "NotApplicable"

posture_not_applicable.PNG

Why is this posture not applicable?

Thanks a lot!

Patrick

3 people had this problem
Labels:
0 Helpful
19 Replies 19

vrz rrr
Level 1
Level 1
In response to kylerossd

‎04-03-2013 06:51 AM

kylerossd,

does not work. Thoses confs are not good.

V.

0 Helpful

kylerossd
Level 4
Level 4
In response to kylerossd

‎04-04-2013 02:10 PM

I resolved my issue. I created a client agent profile and assigned agent version in client provisioning. Even though i didn't hAve to it seemed to help. It also appears that Symantec endpoint 11 causes issues, if you clean list the nac agent folder in Symantec endpoint protection the agent loads MUCH faster.

Sent from Cisco Technical Support iPhone App

0 Helpful

bhthapa
Level 1
Level 1

‎04-04-2013 10:19 AM

I recommend you to first Verify/Create posture requirements

Policy > Policy Elements > Results > Posture > Requirements

The conditions are defined in the following location: Policy > Policy  Elements > Conditions > Posture.

You also need to open these ports for the same

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture  communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture  communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture   communication between NAC agent and ISE (Swiss ports)

vrz rrr
Level 1
Level 1
In response to bhthapa

‎04-04-2013 11:10 AM

Hi Bhaskar,

that's a good point.

Now could you please give us the right posture ACL to be downloaded to the Switch (or set on a WLC). I think that some procotols are missing....

Regards.

V.

0 Helpful

bhthapa
Level 1
Level 1
In response to vrz rrr

‎04-05-2013 03:46 AM

Here are some ports which needs to be open please use these

permit tcp any host 80.0.80.2 eq 443 (This is for URL redirect)

permit tcp any host 80.0.80.2 eq www

permit udp any host 80.0.80.2 eq 8905 (This is for posture communication between NAC agent and ISE (Swiss ports))

permit udp any host 80.0.80.2 eq 8906 ( This is for posture communication between NAC agent and ISE (Swiss ports))

permit tcp any host 80.0.80.2 eq 8443 (This is for guest portal port)

permit tcp any host 80.0.80.2 eq 8905 (This is for posture communication between NAC agent and ISE (Swiss ports))

deny ip any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents