Solved: Re: Authorization profile not changed after posture compliant

Antonio Macia · ‎02-19-2020

Hi,

We've noticed a weird behavior in our ISE deployment integrated with ASA for AnyConnect authorization.

AnyConnect users have posture configured so every time they connect they match first the "posture unknown" authorization profile while AnyConnect runs the system scan. We observe this normal behavior in the Radius live logs.

Once the client is compliant, the status changes to "Compliant" in the "Posture Status" column, BUT the "authorization profile" column is not updated with the valid rule that matches the compliant status. However, the dACL sent to ASA and actually applied is the correct one based on the user profile.

ISE performs just authorization, not authentication which is validated by the ASA using certificates.

Summarizing: ISE sees the user as compliant, internally matches the authorization profile for a compliant user, but the Radius logs are not updated accordingly and we see all the users with the status "unknown".

Any ideas?

Thanks.

Greg Gibbs · ‎02-19-2020

The behaviour you're seeing could be related to this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076

View solution in original post

Greg Gibbs · ‎02-19-2020

The behaviour you're seeing could be related to this bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076

momo2017 · ‎02-19-2020

Thanks.

The bug description completely matches my scenario indeed. Time to patch!