Cisco ISE v2.1 Wired Posture check runs slow

khalid_mahmood · ‎05-15-2017

Hi we have Cisco ISE v2.1 patch 3 running for wired 802.1x with Posture checking. The end devices are Windows 10 desktop/laptop's running AnyConnect v4.4.248. Posture works fine but it takes approx 30 seconds, which is a long time for a user to wait, if we enable SCCM check for Installtion or service runing its the same delay but if we ask for SCCM to check that patches are up to date this takes 1/5 mins.

The Authentication policy is EAP-TLS to a CAP profile, works fine

Authorisation rules:-

Unknown Posture if wired802.1x and certificate issuer common name=Company, AND Session:Posturestatus EQALS uknown then Posture
Compliant Posture if wired802.1x and certificate issuer common name=Company, AND Session:Posturestatus EQALS Compliant then Permit-All
Non Compliant Posture if wired802.1x and certificate issuer common name=Company, AND Session:Posturestatus EQUALS NonCompliant then Posture_remediation

Authorisation rules:-

Authorisation Result Posture_remediation allows access (dACL) to backend remediation servers
Authorisation Result Posture =
Access Type = Access_Accept
Common tasks dACL = Remediation_ACL
Web Redirection (CWA, MDM, NSP, CPP) - Client Provisioning (Posture) ACL=ACL_Redirect Value = Client Provisioning Portal (default)
(cisco-av-pair = url-redirect-acl=ACL_Redirect
cisco-av-pair = url-redirect=https://ip:port/portal/gateway/sessionid xxxxxx)

Any help would be helpful.

Regards Khalid

hslai · ‎05-28-2017

I would suggest to engage TAC and submit the DART for investigation.

khalid_mahmood · ‎05-29-2017

Thanks for response Hslai, DART or wireshark export is not possible with secure accounts such as this. Noticed that if I change the patch management for SCC, from up to date to enabled the process is a lot faster, not sure why?

I've setup a new environment and ise posture discovery completely fails now.

Big question is I have a unknown Posture Authorisation = Posture_Remedation which permits access to DNS, DHCP, HTTP, Intranet & general remediation services. The Redirect ACL denies any traffic which does not need to be redirected, i.e. DNS, DHCP, ISE PSN nodes but permits http & https:-

deny udp any eq bootpc any eq bootps

deny up any any domain

deny ip any host ISE PSN

permit tcp any any eq www

permit tcp any any eq 443

This redirect ACL is also configured on the switch.

But the AnyConnect client v4.4 does not discover the ISE server during the posture discovery.

Switch config is configured for ip http server & ip http secure-server

Am I missing something fundamental?? Is their a good article that explains ISE Posture discovery process.

Thx Khalid

Farhan Mohamed · ‎06-02-2017

See if this link is useful : communities.labminutes.com/security/ise-posture-using-predeploy-method-and-posture-discovery/

Also check this post, i think it might solve your problem:- cisco.jiveon.com/message/357182

khalid_mahmood · ‎06-06-2017

Thanks Farhan, the second link is a cisco internal employee only - could you please post here.

hslai · ‎07-08-2017

ISE Troubleshooting TechNotes has a couple of articles on posture might help. Without sharing any debug, we can't really help you here. You should probably engage our Cisco TAC for further assistance.