topic Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour in Network Access Control

ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

David Milne — Mon, 29 Oct 2018 06:30:18 GMT

Hi Folks,

Working on a POC/Test ISE deployment prior to the full production rollout and I'm encountering some odd behavior with my wireless BYOD setup. I'm seeing the following issues on my test machine, and it seems to happen every time I test.

BYOD clients lose posture status every time they log off/reboot (or perhaps more accurately, when they reconnect to the corproate SSID), but posture lease is set to 14 days and there is no periodic re-assessment configured. My understanding is that the posture lease should apply to all clients, but I may be mistaken there?
When BYOD clients are posture-assessed using the temporal agent, the first run through doesn't update the posture status in ISE - I need to be redirected a second time, run the temporal agent a second time and then I get full network access.

I have a feeling it may be related to my configuration (specifically the client provisioning/posture setup), but was curious if anyone had any thoughts on those issues? I'm going to try and get some screenshots later to illustrate my client provisioning policy setup, just in case it's something there - I've got separate lines for posture and provisioning as it was the cleanest way I could think to configure it, but there's probably a better way. I'm pretty new to ISE!

Thanks!

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

hslai — Mon, 29 Oct 2018 11:47:09 GMT

BYOD clients lose posture status every time they log off/reboot (or perhaps more accurately, when they reconnect to the corproate SSID), but posture lease is set to 14 days and there is no periodic re-assessment configured. My understanding is that the posture lease should apply to all clients, but I may be mistaken there?

Temporal agent does not support posture lease. Please use regular AnyConnect ISE Posture for this.

When BYOD clients are posture-assessed using the temporal agent, the first run through doesn't update the posture status in ISE - I need to be redirected a second time, run the temporal agent a second time and then I get full network access.

Please ensure ISE PSN receiving a posture report. Use the ISE RADIUS Live Logs to check the authorization policy rule matched after PSN sending out the CoA and the network device re-authenticating the endpoint.

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

David Milne — Tue, 30 Oct 2018 01:36:07 GMT

Thanks for that, appreciate the quick response.

Temporal agent does not support posture lease. Please use regular AnyConnect ISE Posture for this.

I guess the clients will be committed to re-running the temporal agent every time they connect then - no way to only force clients to re-assess every X days with the temporal agent?

Regarding the posture report, I'll take a more detailed look at the live logs and also do a capture on the PSN to see if I can catch any CoA being sent to the NAD.

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

ramkchel — Wed, 31 Oct 2018 07:04:27 GMT

Temporal Agents doesn't get installed on the clients. So temp agent cannot perform posture lease, clients need to download and run temporal agent every time to perform posture check.

The solution is to use Anyconnect Agent.

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

David Milne — Wed, 31 Oct 2018 09:16:14 GMT

Sounds good - they'll just have to live with a posture assessment every time they connect or get their BYOD users to install AnyConnect then.

I thought perhaps there was a way to have ISE do something clever with the temporal agent posture report - e.g. have it run when you connect at 1000 on Oct 31 and count that as 'valid' posture for X days, then after X days market them as non-compliant/unknown, issue a CoA to force them to re-run the temporal agent and get another X days of valid posture.

Regards,

David

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

Jason Kunst — Wed, 31 Oct 2018 14:26:44 GMT

No there is not. If you have devices staying that long then install Anyconnect to get full featured support.

The temporal agent is for temporal users like contractors that are short stay.

Re: ISE 2.3 BYOD with Temporal Agent - Odd Behaviour

David Milne — Wed, 31 Oct 2018 21:32:13 GMT

Duly noted. Thanks everyone!