https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3739948#M488621 <P>Evening everyone.</P> <P>Having an issue with temporal agent posture check for BYOD clients and I'm not sure if it's client config causing it, or something on the ISE side.</P> <P>What I'm seeing is that when a client connects and gets redirected to download the temporal agent, the RADIUS Live Logs show the identity as&nbsp;<EM>user@domain</EM>. Once the posture check is done and a CoA is issue, the client then appears in the live logs as just&nbsp;<EM>user</EM> rather than&nbsp;<EM>user@domain</EM>.&nbsp;</P> <P>If I look at the report for the new authorisation, it has a line that says "User name change detected for the session.Attributes for the session will be removed from the cache."</P> <P>What that means from a user POV is that they need to re-run the posture assessment a second time, and then after another CoA and reauth the endpoint keeps the PostureStatus attribute as either Compliant/Non-Compliant and get appropriate access.</P> <P>I saw bug <A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj34004" target="_self">CSCuj34004</A>&nbsp;that appeared to relate to my symptoms, but the workaround doesn't seem to work in my case. The BYOD policies are ordered such that compliant/non-compliant are ahead of unknown already, but the issue persists. Furthermore, all of my authentications are user authentication - there's never a change from machine to user auth.</P> <P>Has anyone observed similar behaviour before? I've had a poke around my client settings on my test machine but I can't see anything that would cause it to change the username it sends for 802.1x auth, so I'm not sure if that's being influenced by the temporal agent or not, or if there's something I can do on the ISE side to work around the issue.</P> <P>I've attached a screenshot of the RADIUS Live Logs showing the changing identity and showing how it seems to cause me to hit he 'UNKNOWN' BYOD policy twice.</P> Tue, 06 Nov 2018 11:05:53 GMT David Milne 2018-11-06T11:05:53Z https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3739948#M488621 <P>Evening everyone.</P> <P>Having an issue with temporal agent posture check for BYOD clients and I'm not sure if it's client config causing it, or something on the ISE side.</P> <P>What I'm seeing is that when a client connects and gets redirected to download the temporal agent, the RADIUS Live Logs show the identity as&nbsp;<EM>user@domain</EM>. Once the posture check is done and a CoA is issue, the client then appears in the live logs as just&nbsp;<EM>user</EM> rather than&nbsp;<EM>user@domain</EM>.&nbsp;</P> <P>If I look at the report for the new authorisation, it has a line that says "User name change detected for the session.Attributes for the session will be removed from the cache."</P> <P>What that means from a user POV is that they need to re-run the posture assessment a second time, and then after another CoA and reauth the endpoint keeps the PostureStatus attribute as either Compliant/Non-Compliant and get appropriate access.</P> <P>I saw bug <A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj34004" target="_self">CSCuj34004</A>&nbsp;that appeared to relate to my symptoms, but the workaround doesn't seem to work in my case. The BYOD policies are ordered such that compliant/non-compliant are ahead of unknown already, but the issue persists. Furthermore, all of my authentications are user authentication - there's never a change from machine to user auth.</P> <P>Has anyone observed similar behaviour before? I've had a poke around my client settings on my test machine but I can't see anything that would cause it to change the username it sends for 802.1x auth, so I'm not sure if that's being influenced by the temporal agent or not, or if there's something I can do on the ISE side to work around the issue.</P> <P>I've attached a screenshot of the RADIUS Live Logs showing the changing identity and showing how it seems to cause me to hit he 'UNKNOWN' BYOD policy twice.</P> Tue, 06 Nov 2018 11:05:53 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3739948#M488621 David Milne 2018-11-06T11:05:53Z https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3764661#M488623 <P><A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCuj34004" target="_self" rel="nofollow noopener noreferrer">CSCuj34004</A>&nbsp;is an old bug and should only be applicable to ISE 1.x, but not ISE 2.x.</P> <P>Please engage Cisco TAC to take a look and see why your DOT1X supplicant sending ISE different formats for the username and why ISE not normalizing them and treating them as the same username.</P> Sun, 16 Dec 2018 22:59:08 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3764661#M488623 hslai 2018-12-16T22:59:08Z https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3768105#M488624 <P>It seems an issue with the Cert auth profile and TAC opening a bug on it.</P> Fri, 21 Dec 2018 23:01:40 GMT https://community.cisco.com/t5/network-access-control/ise-2-3-posture-user-name-change-detected-for-the-session/m-p/3768105#M488624 hslai 2018-12-21T23:01:40Z