cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
5
Replies

Cisco Secure Client agent delay time "ISE Posture" to PSN

Da ICS16
Level 1
Level 1

Dear Cisco Community,

In my lab, PC installs Cisco Secure Client 5.1.2.42 with CM 4.3.3335.6146 (ISE 3.1 P6).

There have few PCs when turn on the first time, where SC agent status is Complaint but can not access to internal access / systems. Some times it occur randomly PC.

Remark:

- On ISE livelog we can see this endpoint status is working fine, status is Complaint.

- On PC - Cisco Secure Complaint module status is "Complaint - network access allowed" We need to wait around 2 - 3mins later then it work.

- or we need to click on "Scan Again" then PC can access to any systems and internet

Kindly review and advise how to ensure PC can work properly.

Thanks,

5 Replies 5

CoA configured properly?  What is the NAD?  Are you also using dACLs?  Redirectionless or redirection-based posture?

Hello @ahollifield 

1. Yes, we config CoA

2. Cisco switch 9200L

3. Using dACL

4. Redirection less 

Do you see successful CoA logs on live logs?  What version of IOS-XE?  What does show auth sessions details display for the interface when the device is having the issue?

Hello @ahollifield ,

We can see CoA on live log, Auth session is working properly. 
This issue occurs the most for supplicant which sleep mode (Laptop do not turn off ) while perform authentication EAP-FAST (EAP-MSCHAPv2, EAP-TLS).

Thanks,

So you see a successful CoA? Note that CoA live log is a completely separate entry from the auth session.  You see  a log with details "Dynamic Authorization Succeeded"?  

You should no longer be using MSCHAPv2.  You should migrate to TLS methods.  You should have a look at TEAP natively supported in Windows and not using the NAM module for EAP-FAST.