Hi Jan ,

Thanks for your reply , Actually these two issues happened randomly , sometime it works and sometimes it did not . I have regenerate the problem or wait until it happened again and I will capture the outputs from the switch side and ISE side and post here .

port configuration is as follows :

interface GigabitEthernet1/0/1
 switchport access vlan 121
 switchport mode access
 switchport voice vlan 130
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 121
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable

2- For the second issue : the machine was already complaint , and this happens when re-posture is happening , the machine need no remediation as it is already complaint . Posture check includes AV check and some services check and it is all OK with that machine. It is just annoying the user and he is asking why it is doing that from time to time , sometimes it happens fast , and sometimes takes long time to complete.

I will gather more information about this issue and post it.

Hello Jan,

The problem happened again , to answer your questions :

- Does ISE authenticate your machines once they "wake up" and then sends an authorization result?

after the machine wake up , ISE authenticate the machine , but the authorization profile given is the one given when the machine do  not have anyconnect installed (CPP)

in my case this authorization profile named "XYZ-ISE-POSTURE-UNKNOWN"

- What authorization attributes are you sending to the switch, vlan change, acl or both?
  When machine is authenticated and authorized , ACL list is pushed to the switch. no vlan change.

- What host mode are you using on the switch ports ? ( maybe post interface config)

  host mode multi-auth

- What does a "show auth sess interface <port the pc is in> when it's ok, and when this problem is happening (before the manual reconnect)?

when the problem happens and before disconnect and connect  :
=====================================================

ZI-IT-021#Show auth session int  gig1/0/11
            Interface:  GigabitEthernet1/0/11
          MAC Address:  fc15.b4ec.f432
           IP Address:  172.16.21.8
            User-Name:  z8785
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-XYZ-ISE-POSTURE-UNKNOWN-55ebe7ee
     URL Redirect ACL:  ACL-REDIRECT
         URL Redirect:  https://XYZ-ise-01.xyzq.net:8443/portal/gateway?sessionId=AC10321500016725166C9573&portal=bd13d762-fd2c-11e4-a063-b83861d7efc6&action=cpp&token=acbfea3c5e84d2d7e3cbff8c72c23b47
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC10321500016725166C9573
      Acct Session ID:  0x00019575
               Handle:  0x510006E0

Runnable methods list:
       Method   State

       dot1x    Authc Success
       mab      Not run

======================================
After disconnect and connect
======================================
XXIT-021#

917334: Oct 20 2015 10:47:24.538 KSA: %DOT1X-5-SUCCESS: Authentication successful for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573
917335: Oct 20 2015 10:47:24.538 KSA: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573
917336: Oct 20 2015 10:47:24.538 KSA: %EPM-6-POLICY_REQ: IP 172.16.21.8| MAC fc15.b4ec.f432| AuditSessionID AC10321500016725166C9573| AUTHTYPE DOT1X| EVENT APPLY
917337: Oct 20 2015 10:47:24.545 KSA: %EPM-6-POLICY_APP_SUCCESS: IP 172.16.21.8| MAC fc15.b4ec.f432| AuditSessionID AC10321500016725166C9573| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-XYZ-PERMIT-ALL-547d7b63| RESULT SUCCESS
917338: Oct 20 2015 10:47:25.289 KSA: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (fc15.b4ec.f432) on Interface Gi1/0/11 AuditSessionID AC10321500016725166C9573

XXIT-021#sh authentication sessions int gigabitEthernet 1/0/11
            Interface:  GigabitEthernet1/0/11
          MAC Address:  fc15.b4ec.f432
           IP Address:  172.16.21.8
            User-Name:  z8785
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-XYZ-PERMIT-ALL-547d7b63
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  AC10321500016725166C9573
      Acct Session ID:  0x00019575
               Handle:  0x510006E0

Runnable methods list:
       Method   State
       dot1x    Authc Success

as you can see , it looks like when the machine comes back from sleep mode , the Cisco Anyconnect can not be detected by ISE . 

Any ideas ?!

This is normal, if the PC has been asleep, and is re-authenticated, ISE will per default require it to go through posture assesment, so you are unknown until you are compliant or noncompliant, the redirect url you can see in the authz profile, should make the posture agent detect what PSN to talk to and start doing the posture. But you have to login to the machine for that to happen. Does your posture agent not change state to something like "searching" once you login to the machine?

The user is already logged in when the PC comes back from sleep .I did not notice the status of the anyconnect  if it is searching or something when the user logged in to the machine.I have to re-check again , but apparently there is an issue between sleep mode and anyconnect. 

when comes back from sleep mode , anyconnect could not be detected by ISE (or the other way around) , and therefore this machine will be seen by the ISE as it dose not have anyconnect installed. This is what we have to find a solution for.

Hi Ali

Did you able to solve the issue?

Tks

G

I also have this issue... Has there ever been a solution provided for this problem??

We were running AnyConnect 4.2 and ISE v2.0, so we upgraded AnyConnect to v4.3, but we are still seeing the same problem. My Problem is almost word-for-word the same thing as Ali and Frank...

Thanks in Advance,

Matt

Hi, all.

Seems like this is still not working as desired:

- ISE V2.1 patch 2, AnyconnectComplianceModuleWindows 4.2.488

- Windows 7 client running latest Anyconnect 4.3.4027 (SSL VPN module, ISE posture module, NAM Module)

- EAP-TLS 

When the client is booted, authentication (EAP-TLS) runs fine, authorization puts the client into "posture unkown" (including Redirect-ACL, unkown-client-DACL and Redirect URL).

ISE posture module starts up, searches for ISE server, finds server, checks version of Anyconnect and modules, executes posture checks and policies successfully, "posture compliant" profile (including PERMIT_ALL_DACL) is authorized and put onto the switchport.

After nobody touching the client for xyz minutes, the client is locked and the screen is turned off, anybody who wants to use the client from there on, has to log in again.

When reauthentication occurs while the client is in this locked state, it gets reauthenticated, but authorization stays in "posture unknown" state.

So far, so good, all parts working as they should !!!

If the client is now unlocked by the user (through his/her login), the client stays in "posture unkown" state, ISE posture module still shows "compliant" state (from last successful posture) !!!!!!! No new server discovery is initiated or reposturing is done!!!

The switchport however still has "posture unknown", including Redirect-ACL, unkown-client-DACL and Redirect URL.

Only disconnecting the cable (by the user) or manually shutting the access port down and reenabling it (by me) does the trick, but this cannot be it !!!!

Any clues ???

Hi frank,

I have this issue too. how did you managed to solve this issue ? 

I am also facing same issue. After a certain while when user unlocks his computer, the Anyconnect posture module is still in 'complaint' status but a per ISE operation log it is in 'Unknown' state. Anyone solved this issue? 

change the setting of your ISE posture instead of perform posture assessment every time a user connects to the network, use perform posture assessment every 1 day.

thanks.

Guys, we are having this issue also for a week!

Anyone has solution?

Was there a resolution to this? I am facing the exact same issue. Anyconnect posture module stays in 'complaint' status but is in 'Unknown' state, and no new server discovery is initiated or reposturing is done.