Cisco Secure Client agent delay time "ISE Posture" to PSN

Da ICS16 · ‎08-01-2024

Dear Cisco Community,

In my lab, PC installs Cisco Secure Client 5.1.2.42 with CM 4.3.3335.6146 (ISE 3.1 P6).

There have few PCs when turn on the first time, where SC agent status is Complaint but can not access to internal access / systems. Some times it occur randomly PC.

Remark:

- On ISE livelog we can see this endpoint status is working fine, status is Complaint.

- On PC - Cisco Secure Complaint module status is "Complaint - network access allowed" We need to wait around 2 - 3mins later then it work.

- or we need to click on "Scan Again" then PC can access to any systems and internet

Kindly review and advise how to ensure PC can work properly.

Thanks,

ahollifield · ‎08-05-2024

CoA configured properly? What is the NAD? Are you also using dACLs? Redirectionless or redirection-based posture?

Da ICS16 · ‎08-05-2024

Hello @ahollifield

1. Yes, we config CoA

2. Cisco switch 9200L

3. Using dACL

4. Redirection less

ahollifield · ‎08-06-2024

Do you see successful CoA logs on live logs? What version of IOS-XE? What does show auth sessions details display for the interface when the device is having the issue?

Da ICS16 · ‎08-06-2024

Hello @ahollifield ,

We can see CoA on live log, Auth session is working properly.
This issue occurs the most for supplicant which sleep mode (Laptop do not turn off ) while perform authentication EAP-FAST (EAP-MSCHAPv2, EAP-TLS).

Thanks,

ahollifield · ‎08-07-2024

So you see a successful CoA? Note that CoA live log is a completely separate entry from the auth session. You see a log with details "Dynamic Authorization Succeeded"?

You should no longer be using MSCHAPv2. You should migrate to TLS methods. You should have a look at TEAP natively supported in Windows and not using the NAM module for EAP-FAST.