Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2944
Views
10
Helpful
7
Replies

Posture Status for Smartphones - Android - Pending

Go to solution
David Boos
Level 1
Level 1

‎08-07-2013 06:55 AM - edited ‎03-10-2019 08:44 PM

I am trying to pass smartphones through our ISE infrastructure.  I have Windows working properly, it assigns a certificate, joins to the employee network, installs the NAC client, and requires remediation action.

When an Android phone (haven't tried iOS yet) tries to connect it receives a certificate, is profiled as Android, and then gets stuck in posture status pending.

I have attached a screenshot.

Thanks.

1 person had this problem
Labels:
Preview file
33 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gschmitt.ngit
Level 1
Level 1
In response to David Boos

‎08-09-2013 08:05 PM

Check the detailed report on the pan authentication page and confirm what authz profile you are getting. My guess is that you are getting the one for posture assessment because you are not meeting the conditions for your android authz policy. Take a look at the endpoint profile entry and you'll probably find that one of the conditions is not being met.

for sure, you do not need the posture check included in the conditions.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
gschmitt.ngit
Level 1
Level 1

‎08-08-2013 01:06 PM

Is it being profiled as an android? If yes, create an authz policy to place it on the network with an authz profile that does not redirect to cpp. Place this authz policy above the one for windoze posture assessment.


Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to gschmitt.ngit

‎08-09-2013 07:46 PM

I thought that's what I was doing, here's a screenshot of my authz rules.  The android authz rule is 4th one down - above all the windows posture related rules.

0 Helpful

Go to solution
gschmitt.ngit
Level 1
Level 1
In response to David Boos

‎08-09-2013 08:05 PM

Check the detailed report on the pan authentication page and confirm what authz profile you are getting. My guess is that you are getting the one for posture assessment because you are not meeting the conditions for your android authz policy. Take a look at the endpoint profile entry and you'll probably find that one of the conditions is not being met.

for sure, you do not need the posture check included in the conditions.

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to gschmitt.ngit

‎08-09-2013 08:17 PM

I was thinking - would reducing it to Registered Device (only registered devices would authenticate with 802.1x anyway) and SessionOS equals Android be vague enough to catch it and not allow it to pass?

Endpoint IdC8:AA:21:02:16:75
Endpoint ProfileAndroid
IP Address
Identity Store
Identity GroupRegisteredDevices
Audit Session Idac1e10450000120e52056988
Authentication Methoddot1x
Authentication ProtocolEAP-TLS

This is how one android device is being profiled - I would guess that would allow it if I opened the rule up more?

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to David Boos

‎08-09-2013 08:40 PM

Got it - wasn't enough to have sessionOS as Android.  Setting endpointpolicy to android seemed to do it.

Go to solution
andikamulya
Level 1
Level 1
In response to David Boos

‎08-22-2013 12:57 AM

Hi David,

How do you create attribute Endpoints:endpointpolicy?

Mine here only available Endpoints:PostureAppicable.

0 Helpful

Go to solution
David Boos
Level 1
Level 1
In response to andikamulya

‎08-24-2013 08:04 AM

I've attached screenshots. I'm on ISE 1.2.

These are the choices I have.

Customers Also Viewed These Support Documents