ISE Posture for non-agent device problem

Tan Do Nhat — Mon, 11 Mar 2019 04:56:20 GMT

I have a couple of questions:

- They said it the documents: "these (non-agent) devices assume the Default Posture Status settings". I wonder how ISE determines that a device is a non-agent device, or to put it another way, when is the Default Posture Status settings applied to a device? Is it after some period of time not receiving anything from the agent? If yes, can and where do I change that time in ISE?

- I tested this with my lab and saw that: after the user successfully login with his account, and the Authorization profile with Client provisioning is applied to that session, the user goes to a web page and gets redirect to the CPP page. Now if he just sits there and doesn't install the NAC agent, I noticed that after about 40s, the session is automatically restarted to a new one, with a different session ID, but the same username. The new session gets to the point where the same redirect Authorization profile is applied and the whole process cycles over and over. Things I observed each time the session restarts:

+ The user doesn't even have to enter the credentials again. The 802.1x login doesn't popup

+ The Default Posture status (I set it to Noncompliant) is applied to the session right before it restarts. I can see an event on ISE indicating that. The event also shows the Acct-Terminate-Cause as "Admin Reset"

+ If at any point, the user installs a NAC agent then he can break the cycle (e.g becomes compliant) and carry on with other Authorization profiles

So my question is: is that expected behavior of ISE? Although it seems no harm except new sessions are created continously

Or have I configured something wrong?

Anybody?

Tan Do Nhat — Mon, 18 Aug 2014 08:08:17 GMT

Anybody?

topic ISE Posture for non-agent device problem in Network Access Control

ISE Posture for non-agent device problem

Anybody?