Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3021
Views
10
Helpful
6
Replies

[Cisco ISE] Posture Status Unknown but AnyConnect as Compliant

Go to solution
LKL4
Level 1
Level 1

‎05-31-2022 07:58 AM - edited ‎05-31-2022 08:00 AM

Hello team,

 

We are deploying Posture with Cisco ISE 2.7 (Patch7) and we are facing a strange issue. The machine with AnyConnect report to us the "Compliant" status with Network Access Allowed, but looking through ISE dashboard we receive "Unknown" status and the redirect for the provisioning portal.

- I've already disabled all posture rules, we're not scanning for anything (just software and hardware inventory).

- The CoA is correctly applied in the controller.

- We are using EAP-TLS (machine cert.) for auth..

- The WLC acl works good, redirecting 443, 8443, 8905 and allowing domain.

- The firewall are with any any allowed.

- The Authz. profiles (deny, permit and redirect for provisioning portal looks good too).

- We don't have any kind of posture on the wired network yet.

- Cisco ISE are with 'default posture status' setting as compliant

- Attached are the authz. policy (PNG).

 

Has anyone experienced something like this?

Thanks!

 

 

Preview file
236 KB
Preview file
61 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
LKL4
Level 1
Level 1

‎06-08-2022 05:58 AM - edited ‎06-08-2022 05:59 AM

Just adding the solution for my issue:
This is the new bug matching this behavior: CSCwa99904 17.6.2 || 9800 WLC Deletes Client when DHCP RELEASE is sent by client during Posture.

View solution in original post

6 Replies 6

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-01-2022 08:05 PM

Please check whether the authentication, accounting, and posturing all done on the same ISE PSN node. Likely you need engage TAC to troubleshoot further.

0 Helpful

Go to solution
LKL4
Level 1
Level 1
In response to hslai

‎06-06-2022 05:43 AM

Hello @jhsl,

We are running ise with just one node (standalone) and TAC already involved in this analysis.

0 Helpful

Go to solution
LKL4
Level 1
Level 1

‎06-08-2022 05:58 AM - edited ‎06-08-2022 05:59 AM

Just adding the solution for my issue:
This is the new bug matching this behavior: CSCwa99904 17.6.2 || 9800 WLC Deletes Client when DHCP RELEASE is sent by client during Posture.

Go to solution
LC.IT
Level 1
Level 1
In response to LKL4

‎09-27-2022 03:21 PM

@LKL4 did the workaround fix the problem described on CSCwa99904?

0 Helpful

Go to solution
LKL4
Level 1
Level 1
In response to LC.IT

‎09-27-2022 05:15 PM

Hello @LC.IT 

Yes, in my case we were able to work around this by setting PMF to disabled (moved from WPA2+WPA3 to WPA+WPA2).

Go to solution
LC.IT
Level 1
Level 1
In response to LKL4

‎09-27-2022 05:57 PM

Great! I appreciate your reply.

0 Helpful
Customers Also Viewed These Support Documents