Posture compliant endpoint does not change authorization policy.

briankk1582 · ‎09-20-2018

Hello,

We have a customer who's running ISE 2.1 patch 2. When the endpoint connects via remote access VPN to the network, posture assessment runs and it does pass. However, in the live logs in ISE, aren't we supposed to see a change in the authorization profile after ISE finds that the device is found to be compliant with Posture requirements? Even after the posture status is found to be compliant, the unknown authorization profile is still applied. The Session ID is still the same as well.

Also, even after passing posture once, shouldn't we be hitting the posture compliant status right away? EVERYTIME we VPN into the firewall, we keep hitting the Unknown rule and Posture is assessed.

Thank you for your time and consideration.

Be well,

Brian

Aravind Ravichandran · ‎09-28-2018

Hi Brian,

Please check whether dynamic-authorization is enabled in ASA or not,You can refer this document https://community.cisco.com/t5/security-documents/how-to-configure-posture-with-anyconnect-compliance-module-and/ta-p/3647768

-Aravind

briankk1582 · ‎10-01-2018

Hi Aravind,

Thanks for the recommendation and I've also followed that document to deploy our remote access VPN solution.

Having said that, the customer appears to be facing Change of Authorization issues in the ISE deployment overall, not just the ASA, and we've opened a TAC case for it. Once we've resolved the issue with the customer and TAC, I'll provide and update as to what the resolution was.

Be well,

Brian

Aravind Ravichandran · ‎10-01-2018

Hi Brian,

Thanks for the update.If that is the case please check " RADIUS Change of Authorization (CoA) : UDP/1700" is allowed in your network or not.

-Aravind