topic Re: Hi, all. in Network Access Control

Cisco Anyconnect & ISE behavior with Machine comes back from sleep mode

Ali Koussan — Mon, 11 Mar 2019 06:09:10 GMT

I have an ISE setup (Eap-chaining & posturing ) for wired using Cisco Anyconnect 4.1 . I'm facing two issues with anyconnect , and hopefully some one can help me out ..

1- When machine moves from sleep mode to live , ISE is not allowing users full access to network

Any connect shows it as connected and system scan shows complaint but user is not getting access and he has to manually reconnect using any connect to get the services back

2- anyconnect client keep showing as "updating requirements" for Long time sometimes

Attached error “keep updating”

any hints?

1.- Does ISE authenticate

jan.nielsen — Wed, 14 Oct 2015 18:29:32 GMT

- Does ISE authenticate your machines once they "wake up" and then sends an authorization result?

- What authorization attributes are you sending to the switch, vlan change, acl or both?

- What host mode are you using on the switch ports ? ( maybe post interface config)

- What does a "show auth sess interface <port the pc is in> when it's ok, and when this problem is happening (before the manual reconnect)?

- What posture checks are you running ?

- What remediation actions are you trying to take ?

Hi Jan , Thanks for your

Ali Koussan — Thu, 15 Oct 2015 05:52:13 GMT

Hi Jan ,

Thanks for your reply , Actually these two issues happened randomly , sometime it works and sometimes it did not . I have regenerate the problem or wait until it happened again and I will capture the outputs from the switch side and ISE side and post here .

port configuration is as follows :

interface GigabitEthernet1/0/1
switchport access vlan 121
switchport mode access
switchport voice vlan 130
authentication event fail action next-method
authentication event server dead action reinitialize vlan 121
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable

2- For the second issue : the machine was already complaint , and this happens when re-posture is happening , the machine need no remediation as it is already complaint . Posture check includes AV check and some services check and it is all OK with that machine. It is just annoying the user and he is asking why it is doing that from time to time , sometimes it happens fast , and sometimes takes long time to complete.

I will gather more information about this issue and post it.

Hello Jan,The problem

Ali Koussan — Tue, 20 Oct 2015 08:31:17 GMT

Hello Jan,

The problem happened again , to answer your questions :

- Does ISE authenticate your machines once they "wake up" and then sends an authorization result?

after the machine wake up , ISE authenticate the machine , but the authorization profile given is the one given when the machine do not have anyconnect installed (CPP)

in my case this authorization profile named "XYZ-ISE-POSTURE-UNKNOWN"

- What authorization attributes are you sending to the switch, vlan change, acl or both?
When machine is authenticated and authorized , ACL list is pushed to the switch. no vlan change.

- What host mode are you using on the switch ports ? ( maybe post interface config)

host mode multi-auth

- What does a "show auth sess interface <port the pc is in> when it's ok, and when this problem is happening (before the manual reconnect)?

when the problem happens and before disconnect and connect :
=====================================================

ZI-IT-021#Show auth session int gig1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: fc15.b4ec.f432
IP Address: 172.16.21.8
User-Name: z8785
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-XYZ-ISE-POSTURE-UNKNOWN-55ebe7ee
URL Redirect ACL: ACL-REDIRECT
URL Redirect: https://XYZ-ise-01.xyzq.net:8443/portal/gateway?sessionId=AC10321500016725166C9573&portal=bd13d762-fd2c-11e4-a063-b83861d7efc6&action=cpp&token=acbfea3c5e84d2d7e3cbff8c72c23b47
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC10321500016725166C9573
Acct Session ID: 0x00019575
Handle: 0x510006E0

Runnable methods list:
Method State

dot1x Authc Success
mab Not run

======================================
After disconnect and connect
======================================
XXIT-021#

917334: Oct 20 2015 10:47:24.538 KSA: %DOT1X-5-SUCCESS: Authentication successful for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573
917335: Oct 20 2015 10:47:24.538 KSA: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573
917336: Oct 20 2015 10:47:24.538 KSA: %EPM-6-POLICY_REQ: IP 172.16.21.8| MAC fc15.b4ec.f432| AuditSessionID AC10321500016725166C9573| AUTHTYPE DOT1X| EVENT APPLY
917337: Oct 20 2015 10:47:24.545 KSA: %EPM-6-POLICY_APP_SUCCESS: IP 172.16.21.8| MAC fc15.b4ec.f432| AuditSessionID AC10321500016725166C9573| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-XYZ-PERMIT-ALL-547d7b63| RESULT SUCCESS
917338: Oct 20 2015 10:47:25.289 KSA: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573

XXIT-021#sh authentication sessions int gigabitEthernet 1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: fc15.b4ec.f432
IP Address: 172.16.21.8
User-Name: z8785
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-XYZ-PERMIT-ALL-547d7b63
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC10321500016725166C9573
Acct Session ID: 0x00019575
Handle: 0x510006E0

Runnable methods list:
Method State
dot1x Authc Success

as you can see , it looks like when the machine comes back from sleep mode , the Cisco Anyconnect can not be detected by ISE .

Any ideas ?!

This is normal, if the PC has

jan.nielsen — Tue, 20 Oct 2015 10:29:13 GMT

This is normal, if the PC has been asleep, and is re-authenticated, ISE will per default require it to go through posture assesment, so you are unknown until you are compliant or noncompliant, the redirect url you can see in the authz profile, should make the posture agent detect what PSN to talk to and start doing the posture. But you have to login to the machine for that to happen. Does your posture agent not change state to something like "searching" once you login to the machine?

The user is already logged in

Ali Koussan — Tue, 20 Oct 2015 16:09:29 GMT

The user is already logged in when the PC comes back from sleep .I did not notice the status of the anyconnect if it is searching or something when the user logged in to the machine.I have to re-check again , but apparently there is an issue between sleep mode and anyconnect.

when comes back from sleep mode , anyconnect could not be detected by ISE (or the other way around) , and therefore this machine will be seen by the ISE as it dose not have anyconnect installed. This is what we have to find a solution for.

Hi Ali

Gaj Ana — Thu, 04 Feb 2016 07:39:22 GMT

Hi Ali

Did you able to solve the issue?

Tks

Hi, all.

Frank Lothar Weber — Mon, 28 Nov 2016 12:49:41 GMT

Hi, all.

Seems like this is still not working as desired:

- ISE V2.1 patch 2, AnyconnectComplianceModuleWindows 4.2.488

- Windows 7 client running latest Anyconnect 4.3.4027 (SSL VPN module, ISE posture module, NAM Module)

- EAP-TLS

When the client is booted, authentication (EAP-TLS) runs fine, authorization puts the client into "posture unkown" (including Redirect-ACL, unkown-client-DACL and Redirect URL).

ISE posture module starts up, searches for ISE server, finds server, checks version of Anyconnect and modules, executes posture checks and policies successfully, "posture compliant" profile (including PERMIT_ALL_DACL) is authorized and put onto the switchport.

After nobody touching the client for xyz minutes, the client is locked and the screen is turned off, anybody who wants to use the client from there on, has to log in again.

When reauthentication occurs while the client is in this locked state, it gets reauthenticated, but authorization stays in "posture unknown" state.

So far, so good, all parts working as they should !!!

If the client is now unlocked by the user (through his/her login), the client stays in "posture unkown" state, ISE posture module still shows "compliant" state (from last successful posture) !!!!!!! No new server discovery is initiated or reposturing is done!!!

The switchport however still has "posture unknown", including Redirect-ACL, unkown-client-DACL and Redirect URL.

Only disconnecting the cable (by the user) or manually shutting the access port down and reenabling it (by me) does the trick, but this cannot be it !!!!

Any clues ???

I also have this issue... Has

Matthew Martin — Thu, 15 Dec 2016 21:14:20 GMT

I also have this issue... Has there ever been a solution provided for this problem??

We were running AnyConnect 4.2 and ISE v2.0, so we upgraded AnyConnect to v4.3, but we are still seeing the same problem. My Problem is almost word-for-word the same thing as Ali and Frank...

Thanks in Advance,

Matt

Re: Hi, all.

Nishad Dadhaniya — Sun, 13 May 2018 07:23:46 GMT

Hi frank,

I have this issue too. how did you managed to solve this issue ?

Re: Hi, all.

sudheere — Wed, 30 May 2018 15:24:53 GMT

I am also facing same issue. After a certain while when user unlocks his computer, the Anyconnect posture module is still in 'complaint' status but a per ISE operation log it is in 'Unknown' state. Anyone solved this issue?

Re: Hi, all.

ccg-security — Tue, 10 Jul 2018 07:02:06 GMT

change the setting of your ISE posture instead of perform posture assessment every time a user connects to the network, use perform posture assessment every 1 day.

thanks.

Re: Hi, all.

rhuel.phils — Thu, 26 Jul 2018 02:17:30 GMT

Guys, we are having this issue also for a week!

Anyone has solution?

Re: Hi, all.

Jason Kunst — Thu, 26 Jul 2018 19:08:03 GMT

contact the TAC to debug

Re: Hi, all.

Madura Malwatte — Mon, 15 Apr 2019 00:27:46 GMT

Was there a resolution to this? I am facing the exact same issue. Anyconnect posture module stays in 'complaint' status but is in 'Unknown' state, and no new server discovery is initiated or reposturing is done.

Re: Hi, all.

SHABEEB KUNHIPOCKER — Wed, 16 Oct 2019 16:03:37 GMT

We are also facing the same issue. Anyone has a fix for this ?

Re: Cisco Anyconnect & ISE behavior with Machine comes back from sleep mode

ajtm — Mon, 23 Dec 2019 19:07:34 GMT

Same here. Happens randomly. Windows native supplicant configured with machine authentication (EAP-TLS).

Re: Cisco Anyconnect & ISE behavior with Machine comes back from sleep mode

williamtan — Wed, 15 Jan 2020 06:59:29 GMT

Anyone have solution for this issue? I'm facing the same issue at user site without solution now.

Re: Cisco Anyconnect & ISE behavior with Machine comes back from sleep mode

SHABEEB KUNHIPOCKER — Thu, 27 Feb 2020 07:51:01 GMT

Is there any solution for this issue?.

Re: Cisco Anyconnect & ISE behavior with Machine comes back from sleep mode

MambaRod16 — Sun, 21 Feb 2021 12:35:30 GMT

Is there any solution for the issue?