https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695087#M577428 <P>Great! I appreciate your reply.</P> Wed, 28 Sep 2022 00:57:03 GMT LC.IT 2022-09-28T00:57:03Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4621669#M575111 <P>Hello team,</P> <P>&nbsp;</P> <P>We are deploying Posture with Cisco ISE 2.7 (Patch7) and we are facing a strange issue. The machine with AnyConnect report to us the "Compliant" status with Network Access Allowed, but looking through ISE dashboard we receive "Unknown" status and the redirect for the provisioning portal.</P> <P>- I've already disabled all posture rules, we're not scanning for anything (just software and hardware inventory).</P> <P>- The CoA is correctly applied in the controller.</P> <P>- We are using EAP-TLS (machine cert.) for auth..</P> <P>- The WLC acl works good, redirecting 443, 8443, 8905 and allowing domain.</P> <P>- The firewall are with any any allowed.</P> <P>- The Authz. profiles (deny, permit and redirect for provisioning portal looks good too).</P> <P>-&nbsp;We don't have any kind of posture on the wired network yet.</P> <P>- Cisco ISE are with 'default posture status' setting as compliant</P> <P>- Attached are the authz. policy (PNG).</P> <P>&nbsp;</P> <P>Has anyone experienced something like this?</P> <P>Thanks!</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 31 May 2022 15:00:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4621669#M575111 LKL4 2022-05-31T15:00:04Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4622944#M575150 <P>Please check whether the authentication, accounting, and posturing all done on the same ISE PSN node. Likely you need engage TAC to troubleshoot further.</P> Thu, 02 Jun 2022 03:05:10 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4622944#M575150 hslai 2022-06-02T03:05:10Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4625908#M575235 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/142597">@jhsl</a>,</P> <P>We are running ise with just one node (standalone) and TAC&nbsp;already involved in this analysis.</P> Mon, 06 Jun 2022 12:43:47 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4625908#M575235 LKL4 2022-06-06T12:43:47Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4627868#M575316 <P>Just adding the solution for my issue:<BR />This is the new bug matching this behavior: CSCwa99904 17.6.2 || 9800 WLC Deletes Client when DHCP RELEASE is sent by client during Posture.</P> Wed, 08 Jun 2022 12:59:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4627868#M575316 LKL4 2022-06-08T12:59:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695049#M577424 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/730677">@LKL4</a>&nbsp;did the workaround fix the problem described on <A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCwa99904" target="_blank" rel="noopener">CSCwa99904</A>?</P> Tue, 27 Sep 2022 22:21:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695049#M577424 LC.IT 2022-09-27T22:21:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695079#M577427 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1230356">@LC.IT</a>&nbsp;</P> <P>Yes, in my case we were able to work around this by setting PMF to disabled (moved from WPA2+WPA3 to WPA+WPA2).</P> Wed, 28 Sep 2022 00:15:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695079#M577427 LKL4 2022-09-28T00:15:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695087#M577428 <P>Great! I appreciate your reply.</P> Wed, 28 Sep 2022 00:57:03 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-posture-status-unknown-but-anyconnect-as-compliant/m-p/4695087#M577428 LC.IT 2022-09-28T00:57:03Z