Solved: Posturing and Compliance checks on Windows 10 Virtual Machine

klopez138 · ‎06-06-2018

We currently have a windows 10 VM running on an ESXi host (6.5.0 Build 4564106) that we're intending on using for 802.1X testing. We have a need to be able to recreate NAC issues remotely so we're trying to configure this VM as a normal wired client that we'll have remote console access to should we need to troubleshoot/reproduce dot1X issues remotely. Everything appears to be working with the exception of posturing. The VM is authenticating with ISE but AnyConnect is not detecting a policy server and ISE is reporting posturing unknown.

ISE version is 2.2. AnyConnect version 4.4. The vmnic on the ESXi host is not tagged with a VLAN ID (set to 0) and the switchport that the vmnic is connected to is configured as follows:

switchport access vlan 136
switchport mode access
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 136
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Connectivity is working just fine, just not posturing or compliance checks. Any help with this issue is greatly appreciated.

klopez138 · ‎06-12-2018

This issue has been resolved. There was no ACL on the switch redirecting posture-unknown devices to the ISE servers. Once the ACL was in place, the VM was able to detect the policy servers.

View solution in original post

Ben Walters · ‎06-06-2018

Let's start with the client, do you have the following installed?

1. AnyConnect NAM

2. AnyConnect ISE posture module

3. AnyConnect ISE compliance module

4. ISEPostureCFG.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture

Do you also have a properly configured ISEPostureCFG.xml?

Did you create your own file or use the template in ISE? Found in Policy > Policy Elements > Results > Client Provisioning > Resources > Add > NAC agent or AnyConnect Posture Profile

This is a good place to start considering it already authenticates with your ISE.

klopez138 · ‎06-06-2018

1. AnyConnect NAM: Not installed, using native supplicant.

2. AnyConnect ISE posture module: Installed, using version 4.4.03034

3. AnyConnect ISE compliance module: Not installed yet because the client has yet to talk the policy server. As I understand it, this module gets installed during the first communication with the policy server.

4. ISEPostureCFG.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture: Yes there is a valid .xml here. I copied it from a known working host.

I'm fairly confident the xml was created using the template in ISE. Not 100% sure though as the xml was in use before I began working on this system.

-Kevin

klopez138 · ‎06-12-2018

This issue has been resolved. There was no ACL on the switch redirecting posture-unknown devices to the ISE servers. Once the ACL was in place, the VM was able to detect the policy servers.