Solved: Re: Endpoints in pending state post posture check

dgaikwad · ‎11-12-2019

Hi Experts,

Setup
AnyConnect 4.7.04056 with compliance module 4.3.838.6145.

We have started a pilot test posture via AnyConnect for the users on one floor, since the deployment we are seeing that endpoints are getting stuck in pending state.
Even when AnyConnect shows endpoint as compliant.
The setup is such that, when endpoint is not compliant, its in a limited access VLAN and when its compliant a different VLAN is pushed according to type of user. This is working when we move back to NAC agent for posture check.

Any suggestions as off to what might be missing or could be the cause of the issue?

Thank you,

dgaikwad · ‎11-16-2019

After tweaking out the IP address change timers, was able to get it to work and this time around when the endpoint does becomes compliant and holds onto the IP address as expected.

But for this to happen the posture clients runs twice, once when it reports as compliant and second time when its ip changes.

Ideally, reporting an endpoint as compliant and IP change should happen at the same time, but this does not seems to be the case here

I will start a new thread for this issue, thanks for the suggestions

View solution in original post

Mike.Cifelli · ‎11-13-2019

Can you share your ISE authz policies on how you have things setup? Also, have you attempted to run debugs on your NAD to identify any possible issues with CoA? To me this sounds like either a policy misconfig, or CoA issue when client is identified as compliant.
debug aaa coa
debug radius

dgaikwad · ‎11-13-2019

Currently all the wired and wireless, mab and dot1x policies are all crammed into one policy set.
Then further these authz policies are applied for non-compliant as per the location of the user, using condition of, device, location and domain user group in the authz profile.

When the user becomes compliant, then only posture status equals compliant is checked and a different VLAN is pushed for this user/endpoint.
Attached is the sample, of what is configured as off now.

Mike.Cifelli · ‎11-14-2019

Can you share a radius live log from ISE when the workstation changes from compliant to non-compliant? Also, please run the debug aaa coa on the NAD and share those outputs. ISE needs to be configured as a dynamic author, and you need to ensure nothing is blocking udp port 1700 for coa.

dgaikwad · ‎11-16-2019

After tweaking out the IP address change timers, was able to get it to work and this time around when the endpoint does becomes compliant and holds onto the IP address as expected.

But for this to happen the posture clients runs twice, once when it reports as compliant and second time when its ip changes.

Ideally, reporting an endpoint as compliant and IP change should happen at the same time, but this does not seems to be the case here

I will start a new thread for this issue, thanks for the suggestions

Mike.Cifelli · ‎11-16-2019

Sounds like you are getting closer. Why the desire for IP change? Can you share what conditions you use in your client provisioning policy sets? You should be able to utilize some sort of condition there that essentially allows AC posture module to bypass and not scan again.