https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032238#M450062 <P>Hi,</P><P>&nbsp;</P><P>We've noticed a weird behavior in our ISE deployment integrated with ASA for AnyConnect authorization.</P><P>&nbsp;</P><P>AnyConnect users have posture configured so every time they connect they match first the "posture unknown" authorization profile while AnyConnect runs the system scan. We observe this normal behavior in the Radius live logs.&nbsp;</P><P>Once the client is compliant, the status changes to "Compliant" in the "Posture Status" column, BUT the "authorization profile" column is not updated with the valid rule that matches the compliant status. However, the dACL sent to ASA and actually applied is the correct one based on the user profile.&nbsp;</P><P>&nbsp;</P><P>ISE performs just authorization, not authentication which is validated by the ASA using certificates.</P><P>&nbsp;</P><P>Summarizing: ISE sees the user as compliant, internally matches the authorization profile for a compliant user, but the Radius logs are not updated accordingly and we see all the users with the status "unknown".</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Thanks.</P> Wed, 19 Feb 2020 12:15:30 GMT Antonio Macia 2020-02-19T12:15:30Z https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032238#M450062 <P>Hi,</P><P>&nbsp;</P><P>We've noticed a weird behavior in our ISE deployment integrated with ASA for AnyConnect authorization.</P><P>&nbsp;</P><P>AnyConnect users have posture configured so every time they connect they match first the "posture unknown" authorization profile while AnyConnect runs the system scan. We observe this normal behavior in the Radius live logs.&nbsp;</P><P>Once the client is compliant, the status changes to "Compliant" in the "Posture Status" column, BUT the "authorization profile" column is not updated with the valid rule that matches the compliant status. However, the dACL sent to ASA and actually applied is the correct one based on the user profile.&nbsp;</P><P>&nbsp;</P><P>ISE performs just authorization, not authentication which is validated by the ASA using certificates.</P><P>&nbsp;</P><P>Summarizing: ISE sees the user as compliant, internally matches the authorization profile for a compliant user, but the Radius logs are not updated accordingly and we see all the users with the status "unknown".</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Thanks.</P> Wed, 19 Feb 2020 12:15:30 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032238#M450062 Antonio Macia 2020-02-19T12:15:30Z https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032571#M450065 <P>The behaviour you're seeing could be related to this bug:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076" target="_self">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076</A></P> <P>&nbsp;</P> Wed, 19 Feb 2020 20:51:38 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032571#M450065 Greg Gibbs 2020-02-19T20:51:38Z https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032841#M476161 <P>Thanks.&nbsp;</P><P>&nbsp;</P><P>The bug description completely matches my scenario indeed. Time to patch!</P> Thu, 20 Feb 2020 07:30:21 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-not-changed-after-posture-compliant/m-p/4032841#M476161 momo2017 2020-02-20T07:30:21Z