Hi , 

Thanks for the reply,

I just have 5760 & I am trying to perform posture validation for wireless clients. The posture validation is success through & but doesn't work with 5760. My client is stuck in posture_required state.

Let  me know if you have seen any documentation - design/configuration guide for 5760-ISE integration

Regards

Nikhil

http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html

its not specific to posture, but validate your configuration with this, use 1812 and 1813 for auth and Acct port and ensure support for RFP3576 is in enabled state.

Can you post the ISE detailed log screenshot, version etc.

"The posture validation is success through & but doesn't work with 5760. My client is stuck in posture_required state."  - Elaborate this.

Thanks for the reply, I can see a MACFILTER in WLAN config, which I feel is not required in the case of dot1x. 

I don't have the logs with me, but client status is as below

>1>My client gets connected, hits the POSTURE-UNKNOWN rule in the ISE

>2>Client status is shown as POSTURE_REQD

>3>The anyconnect shows "WEB-AUTHENTICATION-REQD" & asks to open a browser

>4> If I open the browser, I get a request to enter the credentials( though I have configure SSO)

Regards

Nikhil

I can also see the below message in my anyconnect 

Bypassing AnyConnect scan—Your network is configured to use the Cisco NAC agent.

This message is mentioned in the anyconnect installation guide, but don't have much further explanation.

I missed some more things on my network. 

>When I use the PC for with the wired network, I can see the Posturing is a success.

>When I use the same PC for the Guest access, in the 5760, it is a success. I use CWA with ISE. I use the same redirect ACL for CWA & posturing. 

> The only point I am stuck is with the posturing in 5760

When the client is in Posture required state, and the client does the discovery for the ISE server, WLC intercepts this request. Which interface in the WLC intercepts it, is it the management interface or the interface specified in the webauth profile. Since the VLAN  for the SSID is only L2 & if the webauth interface is trying to intercept the packet my posturing will fail

What's there an address where I can send you some email ? 

If not I would recommend engage TAC, there a lot of floating information, posture issues are easy to solve but I need to look into you policy, and failure logs on wlc as well as ISE. 

you can mail me in nikhs@live.com