https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3184533#M556159 <P>Yea, i understand, but the trick that did it for me was to reboot the PSN nodes. Thank you anyway for your tip Mohamed!</P><P>&nbsp;</P><P>Best regards,</P><P>Zach</P> Fri, 15 Sep 2017 07:08:27 GMT Zach_Sec 2017-09-15T07:08:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3181344#M556147 <P>Hi,</P><P>&nbsp;</P><P>i have a problem with a Posture implementation by a customer. It is a distributed deployment, with a f5 load balancer in front of the 2 PSN nodes.</P><P>The posture checking and CoA within the wired deployment works great, but in a WiFi scenario, not so well. We got 2 authorization rules, in which the first one checks if the posture status is set to "compliant", and if it is, it gets a specific dACL.</P><P>The second rule states that if there is a WiFi connection attempt to a specific SSID, a posture check should happen.</P><P>The posture check with the AnyConnect Posture module always wents fine saying the workstation is compliant,&nbsp;but the problem is that in the RADIUS live log it says that the posture result is in state "Pending", and therefore, the first authorization rule is never being hit. Sometimes a error in the live logs pops up saying "<SPAN>1213 No response received from Network Access Device", and i found that that is a CoA problem. I checked that CoA is enabled on the WLC and that SNAT is not being used on f5.</SPAN></P><P>&nbsp;</P><P><SPAN>Any suggestions? Perhaps some configuration is missing on f5?&nbsp;</SPAN></P><P><SPAN>Maybe i should try the first advice from&nbsp;<A href="https://communities.cisco.com/docs/DOC-71879" target="_blank">https://communities.cisco.com/docs/DOC-71879</A> ?</SPAN></P><P>&nbsp;</P><P><SPAN>Best regards,</SPAN></P><P><SPAN>Zach</SPAN></P> Fri, 21 Feb 2020 18:33:44 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3181344#M556147 Zach_Sec 2020-02-21T18:33:44Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3182083#M556154 Hi Zach<BR />If you WLC is configured with F5 VIP as the RADIUS Server for that particular SSID, then SNAT should be configured on F5 for RADIUS CoA traffic initiated by the PSNs and destined to the NADs (WLC) - Since CoA is initiated by the PSN and sent to the NAD to which the authenticated user/device is connected<BR />Please note this is different than SNAT for RADIUS traffic from the NAD towards the PSN where the F5 should not source NAT the NAD IP to itself in the RADIUS AAA traffic<BR />The COA has to be sent from the NAD to the Cisco ISE PSNs IP Addresses (Without SNAT) and the return traffic flow from Cisco ISE back to the NAD should be SNAT or sent directly to the NAD bypassing the Load Balancer (F5) (May be through PBR) Sat, 09 Sep 2017 18:41:18 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3182083#M556154 Mohamed Abd Elnaser Mohamed Mohamed Ali 2017-09-09T18:41:18Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3184533#M556159 <P>Yea, i understand, but the trick that did it for me was to reboot the PSN nodes. Thank you anyway for your tip Mohamed!</P><P>&nbsp;</P><P>Best regards,</P><P>Zach</P> Fri, 15 Sep 2017 07:08:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture/m-p/3184533#M556159 Zach_Sec 2017-09-15T07:08:27Z