05-15-2017 09:03 AM
Hi we have Cisco ISE v2.1 patch 3 running for wired 802.1x with Posture checking. The end devices are Windows 10 desktop/laptop's running AnyConnect v4.4.248. Posture works fine but it takes approx 30 seconds, which is a long time for a user to wait, if we enable SCCM check for Installtion or service runing its the same delay but if we ask for SCCM to check that patches are up to date this takes 1/5 mins.
The Authentication policy is EAP-TLS to a CAP profile, works fine
Authorisation rules:-
Authorisation rules:-
Any help would be helpful.
Regards Khalid
05-28-2017 09:42 AM
I would suggest to engage TAC and submit the DART for investigation.
05-29-2017 12:47 PM
Thanks for response Hslai, DART or wireshark export is not possible with secure accounts such as this. Noticed that if I change the patch management for SCC, from up to date to enabled the process is a lot faster, not sure why?
I've setup a new environment and ise posture discovery completely fails now.
Big question is I have a unknown Posture Authorisation = Posture_Remedation which permits access to DNS, DHCP, HTTP, Intranet & general remediation services. The Redirect ACL denies any traffic which does not need to be redirected, i.e. DNS, DHCP, ISE PSN nodes but permits http & https:-
deny udp any eq bootpc any eq bootps
deny up any any domain
deny ip any host ISE PSN
permit tcp any any eq www
permit tcp any any eq 443
This redirect ACL is also configured on the switch.
But the AnyConnect client v4.4 does not discover the ISE server during the posture discovery.
Switch config is configured for ip http server & ip http secure-server
Am I missing something fundamental?? Is their a good article that explains ISE Posture discovery process.
Thx Khalid
06-02-2017 04:14 AM
See if this link is useful : communities.labminutes.com/security/ise-posture-using-predeploy-method-and-posture-discovery/
Also check this post, i think it might solve your problem:- cisco.jiveon.com/message/357182
06-06-2017 12:34 AM
Thanks Farhan, the second link is a cisco internal employee only - could you please post here.
07-08-2017 05:37 PM
ISE Troubleshooting TechNotes has a couple of articles on posture might help. Without sharing any debug, we can't really help you here. You should probably engage our Cisco TAC for further assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide