09-23-2021 08:09 AM
Hi,
Our customer has ISE Posturing for their laptops when they are on the VPN and also when they are on the Wired Network. For this, they use AnyConnect 4.8.
When they are on the VPN, they connect successfully. The System Scan run successfully and they are complaint and allowed onto the network.
When they are on the Wired Network, they get "System Scan: No policy server detected. Default network access is in effect"
When I go onto ISE to troubleshoot and put in the MAC address of the client, it cannot find the client. We are not using Client Provisioning as the AnyConnect is deploy via Windows SCCM.
I have configured the policy element, posture policy, conditions, remediations and policy sets. I've went through everything in this link "https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273"
Is there anything else that I need to do.
I am using ISE 3.0.
Solved! Go to Solution.
09-23-2021 08:27 AM
Couple of things to consider/try:
-I would strongly recommend upgrading AnyConnect as 4.8 is ancient.
System Scan: No policy server detected. Default network access is in effect
-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list. Perhaps you have misconfigured something there.
-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)
-Have you generated a DART bundle to view local client AC event viewer logs?
-Have you ran a tcpdump from ISE side to verify traffic is getting there?
09-23-2021 05:55 PM
Hi @Anthony O'Reilly ,
Note: you can find ISEPostureCFG.XML at
. Microsoft: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\
. MAC OS: /opt/cisco/anyconnect/profile/
1st At Work Centers > Posture > Client Provisioning > Client Provisioning Policy, check the Rule for your Wired Network, attention to the Agent Result
2nd At Work Centers > Posture > Client Provisioning > Resources, check the Agent Result of "1st", attention to the ISE Posture
3rd At Work Centers > Posture > Client Provisioning > Resources, check the ISE Posture of "2nd", attention to the Call Home List and Discovery Host.
Hope this helps !!!
09-23-2021 08:27 AM
Couple of things to consider/try:
-I would strongly recommend upgrading AnyConnect as 4.8 is ancient.
System Scan: No policy server detected. Default network access is in effect
-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list. Perhaps you have misconfigured something there.
-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)
-Have you generated a DART bundle to view local client AC event viewer logs?
-Have you ran a tcpdump from ISE side to verify traffic is getting there?
09-23-2021 09:19 AM
Hi Mike,
ISe posturing needs to be deployed yesterday so the plan is to upgrade AnyConnect at the start of next year.
-This can mean a couple of things; I would check how the ISEPostureCFG.xml settings; specifically the call home list and discovery host list. Perhaps you have misconfigured something there.
Where do I find this ISEPostureCFG.xml file. AnyConnect was installed on the client, there were no options to add in call home list etc... Do I download the ISe posturing policy editor and add in the details, save the file as ISEPostureCFG.xml. Where do I put this file?
-Ensure that nothing is blocking the posture module discovery probe (firewall/acls in place?)
100% nothing is blocking the traffic from Client to ISE and vice-versa.
-Have you generated a DART bundle to view local client AC event viewer logs?
Working on this now.
-Have you ran a tcpdump from ISE side to verify traffic is getting there?
Working on this now.
09-23-2021 05:55 PM
Hi @Anthony O'Reilly ,
Note: you can find ISEPostureCFG.XML at
. Microsoft: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture\
. MAC OS: /opt/cisco/anyconnect/profile/
1st At Work Centers > Posture > Client Provisioning > Client Provisioning Policy, check the Rule for your Wired Network, attention to the Agent Result
2nd At Work Centers > Posture > Client Provisioning > Resources, check the Agent Result of "1st", attention to the ISE Posture
3rd At Work Centers > Posture > Client Provisioning > Resources, check the ISE Posture of "2nd", attention to the Call Home List and Discovery Host.
Hope this helps !!!
10-05-2021 08:42 AM
Hi Mike,
I was missing the client resources and also the ISEPostureCFG.xml
All working as expected now.
09-24-2021 05:04 AM
The info @Marcelo Morais shared is accurate
You can also create an ISEPostureCFG.xml via the AnyConnect Profile Editor - specifically the ISE Posture Profile Editor and then upload to ISE for deployment and/or manually add it to the respective location on a test client. Do note though that changes on ISE side to support this would still be required (AnyConnect Config - Profile Selection area).
Any luck with DART bundle logs? I have utilized bundles in the past to point me in the right direction to fix an issue.
11-16-2021 08:16 AM - edited 11-16-2021 08:17 AM
I am having the same issue. "The System Scan is showing the same status "No Policy Server Detected". We also use a pre-deploy approach via SCCM and install Core-VPN and ISE-Posture module.
But the thing is, when we tried with a Web-Deploy approach with URL redirection, client download the AnyConnect and installed, it is working as expected with the compliance checking and all.
This is only happened with the pre-deploy approach. I am not sure why ?
The ISEPostureCFG.xml file were missing in the path C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\”. for both type of deployment approach. But for web-deploy is working but not pre-deploy.
11-16-2021 08:57 AM
Hi @amirminhat
You need to deploy the ISEPostureCFG.xml file to the device.
You can download the Posture policy editor, create the config file and deploy this file to your device(s) via GPO, SCCM or whatever way suits your organisation.
The ISE policy editor ( Profile Editor (Windows) tools-anyconnect-win-4.10.03104-profileeditor-k9.msi) is available to download here:
https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.03104
11-16-2021 05:41 PM
Thank you for the fast reply. Correct me if im wrong, so the profile editor is to create the config file (.xml) and need to deploy at the folder path C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\. of the client endpoints.
Does the .xml file needed to be uploaded on ISE as well ? or just need to be deployed on the client endpoints only. Because from the ISE CPP resources I can only import files with .pkg and .dmg format.
11-17-2021 04:37 AM
FYSA
The ISEPostureCFG.xml goes here on Win clients: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture
Does the .xml file needed to be uploaded on ISE as well ? or just need to be deployed on the client endpoints only. Because from the ISE CPP resources I can only import files with .pkg and .dmg format.
-This all depends on if you use CPP to provision clients. If you wish to rely on CPP, the profile selection area when configuring an AnyConnect Configuration profile requires that you select an ISE Posture profile to push to clients when hitting a CPP with the respective result. You have the ability to import .xml files. Go to Policy->Policy Elements->Results->Client Provisioning->Resources: Click Add: Agent Resources from Local Disk: Customer Created: AnyConnect Profile: <your profile>
HTH!
11-17-2021 08:24 PM
I have tried created the ISEPostureCFG.xml using the Profile Editor and uploaded on the headend. Also deployed on the right path on the clients but the issue remains with "No Policy Server Detected". Call home list with the FQDN and Discovery host is the ISE IP address.
For your insights, we are trying to implement both types of deployment.
1st approach. Using Pre-Deploy via SCCM.
2nd appriach. Using Web-Deploy. (this is to cover the remaining clients that are unsuccessfully deployed via SCCM)
Do I have to create TWO separate AnyConnect profile on ISE (CPP Resources) ? One is for the pre-deploy by importing customer created package and one more is created directly from the Resources. And how do actually Anyconnect select the profile on ISE and match. And how about the Policy Sets ? Because of the CPP, I have only configured Authorization Rules and Authz Profiles for CPP Redirection, Compliant and Non-Compliant. Because of this, even when we pre-deployed the AnyConnect, it will return the CPP Portal and ask user for download even the AnyConnect is already there. Since the Anyconnect is unable to detect the policy server.
Appreciate your ideas on this.
Thanks !
11-18-2021 03:55 AM
I am going to try to cover most of the questions. I strongly recommend taking a peek at the following resources to understand the workflow: ISE Posture Prescriptive Deployment Guide - Cisco Community
Do I have to create TWO separate AnyConnect profile on ISE (CPP Resources) ?
-No. You have the option to manually create it in ISE itself, or via profile editor and the upload method.
One is for the pre-deploy by importing customer created package and one more is created directly from the Resources. And how do actually Anyconnect select the profile on ISE and match.
-You only need 1 profile in the respective shared location.
And how about the Policy Sets ? Because of the CPP, I have only configured Authorization Rules and Authz Profiles for CPP Redirection, Compliant and Non-Compliant.
-There should be three states. Unknown, which is what clients are first matched/deemed against, compliant or noncompliant which is the result post assessment. See shared documentation above.
Because of this, even when we pre-deployed the AnyConnect, it will return the CPP Portal and ask user for download even the AnyConnect is already there. Since the Anyconnect is unable to detect the policy server.
-If you wish to eliminate the pop up you can remove the redirect in the authz profile. However, if clients need to be fully provisioned it is typically recommended to leave as is.
Lastly, I would take a client that is having the issue of reaching ISE and generating a DART bundle. From there check logs to help troubleshoot the issues. Good luck & HTH!
01-14-2022 04:39 AM
Hello Dear All,
Was someone able to resolve this issue. I am currently facing the exact issue with ise 3.0 patch 4, anyconnect ise posture 4.10 core vpn 4.10 and compliance module 4.3.
Everything work in webdeploy installation but when coming to predeploy through gpo the anyconnect is not able to found the psn.
12-09-2022 10:22 AM
Could you solve the problem?
What actions did you apply?
10-04-2024 11:33 PM
I have same problem but the strange thing is it works absolutely fine with One ISP and also with Mobile Hotspot. However, No Policy Server detected error comes with another ISP at my home which I recently installed for WFH. What could be the difference? Tried fresh latest installation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide