Hi all,

I've configured posturing with ISE for our anyconnect clients connecting to asa 5545 headends, and it works for the most part, but I have some issues.

When a client connects, it is authorised via ISE and it falls into a 'compliance-unknown' authorisation profile, where a DACL and web redirect for provisioning are applied, so far so good. The client ISE posture module completes a compliance scan and sends a successful compliance report to ISE, ISE then sends a CoA to the endpoint, and this is when things seem a bit odd to me. The CoA is sent and processes successfully and new ACL is applied, but the endpoint ID for the CoA is not the client MAC as used before, it's the endpoint local IP address. When I look in Policy Sets, the hit count for the 'compliance' authorisation profile increases, as I would expect for the reauth. But if I look in active sessions, the session for the endpoint still sits in the 'compliance-unknown' authorisation profile, even though its session status is now Postured and Posture Status is Compliant.

When I look in the RADIUS live logs, the successful CoA log entry endpoint ID is the client local IP, not the MAC, and the authorisation profile is the expected 'Compliant' one.

It seems like it's treating it as two separate endpoints, but it works because the session ID is the same. The 'IP' endpoint is not referred to anywhere else other than live logs. I don't know what the normal expected behaviour is but this doesn't seem right.

The other issue, is that at no point during this whole process does an Apex license get consumed, which again can't be correct behaviour.

Would someone with a bit more posturing experience be able to explain what I should be seeing?

Any input appreciated, thanks.