topic Re: ISE Posture problem in Endpoint Security

ISE Posture problem

fikret-arazbeyli — Tue, 22 Oct 2024 09:35:12 GMT

A user connected to a Cisco 2960X switch was re-authenticated every 30 minutes. I replaced the switch with a 9200L model, and now when the user re-authenticates every 1800 seconds, the Posture process shows the error "Posture failed due to Server issue."Posture What could be the cause, and how can I fix it?

Re: ISE Posture problem

Aref Alsouqi — Tue, 22 Oct 2024 10:45:25 GMT

Could you please share the related configs on the 9200 switch for review including the redirect ACL please?

Re: ISE Posture problem

fikret-arazbeyli — Tue, 22 Oct 2024 12:02:47 GMT

No ACL configured. What configurations are needed? Radius or all configurations?

Re: ISE Posture problem

Aref Alsouqi — Tue, 22 Oct 2024 15:51:33 GMT

If you don't have any redirect ACL created then I think you would need one. This redirect ACL would need to be called exactly with the same name as you configured it in the redirection authorization profile on ISE.

Re: ISE Posture problem

fikret-arazbeyli — Wed, 23 Oct 2024 08:35:00 GMT

I looked at the cisco ISE logs and when that error occurs, authentication goes through but authorization does not go through and it closes the session,even went through the CoA configurations.Could it be from the firmware version?

Re: ISE Posture problem

Aref Alsouqi — Wed, 23 Oct 2024 10:04:13 GMT

Could you share the failure log in ISE for review please? I don't think the firmware version in itself is the issue, however, it could be that some of the commands have not been applied to the 9200 switch. Did you cross check all the commands you had on the 2960 with the ones you applied to the 9200?

Re: ISE Posture problem

fikret-arazbeyli — Thu, 24 Oct 2024 10:41:12 GMT

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Location
	15048	Queried PIP - DEVICE.Device Type
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - XX:XX:XX:XX:XX:XX
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	11055	User name change detected for the session. Attributes for the session will be removed from the cache
	15048	Queried PIP - DEVICE.Location
	15048	Queried PIP - DEVICE.Device Type
	15048	Queried PIP - Network Access.EapAuthentication (192 times)
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject

These are the logs from ISE. I have compared the configurations of 2960X and 9200L, they are all the same. Radius has session-timeout set to 1800 seconds. After this period expires, it checks again, at which point the posture gives an error and the connection is interrupted for 15 seconds.

Re: ISE Posture problem

Aref Alsouqi — Fri, 01 Nov 2024 12:34:57 GMT

Not sure, sorry, but from the log you shared it does seem that the wrong authorization profile is being hit. I think I would need to see all your sanitized configs of this whole posture assessment flow to see if anything else come to mind that could help.

Re: ISE Posture problem

fikret-arazbeyli — Tue, 05 Nov 2024 08:12:15 GMT

Thank you for your all help. The problem has been solved. Problem was anyconnect version

Re: ISE Posture problem

Aref Alsouqi — Tue, 05 Nov 2024 09:20:06 GMT

You are welcome, and thanks for sharing the root cause.