Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
0
Helpful
7
Replies

Cisco ISE 1.3 Authentication timer inactivity and Anyconnect Posture Issue

besteves
Level 1
Level 1

‎03-23-2016 04:49 AM - edited ‎03-10-2019 11:36 PM

Hi Guys,

We´re facing a reauthorization problem related with Anyconnect 4.1 after Authentication timer inactivity on the switch port expire, after the time expire, the sesson goes to the Unknow state (normal behavior) but when the user starts to work the machinne, the Anyconnect doesn´t  start the scan to put this session on Compliance again. If I force the scan (uncheck and Check the Block connections to untrust servers option on Preference tab)  then it do a scan and change the status to Compliance state.

Is this a best practicies work with Authentication timer inactivity and Anyconnect Posture features ?

Thanks a lot.

Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎03-23-2016 07:41 PM

Hmm, it is possible that you are hitting a bug. Have you tried AnyConnect 4.2 ?

Thank you for rating helpful posts!

0 Helpful

besteves
Level 1
Level 1
In response to nspasov

‎03-24-2016 04:29 AM

Hi Neno,

I tried with anyconnect 4.2.02075 but i´ts not solved the problem.

Thanks a lot.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to besteves

‎03-24-2016 09:06 AM

Can you post screen shots from:

1. Administration > System > Settings >Posture > Reassessments.

2. Administration > System > Settings >Posture > General Settings.

3. Your Posture Profile

Thank you for rating helpful posts!

0 Helpful

besteves
Level 1
Level 1
In response to nspasov

‎03-24-2016 10:15 AM

Here´re....

Preview file
178 KB
Preview file
173 KB
Preview file
188 KB
Preview file
261 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to besteves

‎03-27-2016 10:51 PM

To me everything looks correct. I would suggest you open a TAC case and ask Cisco to assist. Let us know what happens!

Thank you for rating helpful posts!

0 Helpful

besteves
Level 1
Level 1
In response to nspasov

‎04-08-2016 01:25 PM

Hi Neno,

The TAC suggested a workaround changing the client posture assessment condition. In this way the connection maintain authorized even after the Authentication timer inactivity expire. I tested in my and problem was solved, I´ll apply it on the customer.

Administration-->Settings-->Posture-->General Settings

From=Perform posture assessment every time a user connects to the network

To= Perform posture assessment every 1 day

Thanks a lot.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to besteves

‎04-09-2016 06:41 AM

Yes, with that change the endpoint will remain "compliant" for the whole day after it passes posture once. 

Let us know if this workaround works for you. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents