Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
0
Helpful
2
Replies

ISE 2.3 posture not rescanning when switching from wireless to wired with different psn's

Go to solution
Madura Malwatte
Level 4
Level 4

‎02-27-2019 04:56 PM

ISE 2.3 patch 5

 

I am using AnyConnect version 4.7 on windows 10 and have both a wired and wireless eap-tls profile.

wireless SSID radius authentications are done with psn01

wired radius authentication are done with psn02

 

I am seeing an unexpected behaviour in this scenario:

1. AC connects to wireless SSID (psn01)

2. Posture check is done and passes and machine granted access (compliant state)

3. Plug in ethernet port - triggers AC to switch to wired profile (psn02)

4. Network tab in AC shows "Connected". System Scan also shows compliant and network access allowed, but System Scan message history tab does not show a new scan took place. Radius live logs show session is in posture unknown state.

 

If I disable wifi and continue to plug/unplug the ethernet cable, posture scan is done everytime. Vice versa (if ethernet unplugged and wireless enabled/disabled - posture scan done for wireless everytime).

 

If I move between wired or wireless while either the ethernet cable is still plugged in or wifi enabled, then the posture does not scan, but AC says compliant, even through radius live log shows posture unknown state. 

 

 

 

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-27-2019 05:28 PM

I think you might be using Anyconnect NAM module that uses one connection at a time. If you use both wired and wireless, it still uses one connection at a time.

 

If you are not using AC NAM, then how is your traffic routed. AC uses posture discovery to track ISE servers. Make sure those work. Please make sure you have posture lease turned on if you dont want the posture to rescan.

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html

 

Thanks

Krishnan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-27-2019 05:28 PM

I think you might be using Anyconnect NAM module that uses one connection at a time. If you use both wired and wireless, it still uses one connection at a time.

 

If you are not using AC NAM, then how is your traffic routed. AC uses posture discovery to track ISE servers. Make sure those work. Please make sure you have posture lease turned on if you dont want the posture to rescan.

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html

 

Thanks

Krishnan

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to kthiruve

‎02-27-2019 05:32 PM

Yes I am using anyconnect NAM. But isn't that a false positive, when I switch over from wifi to wired or vice versa, AC interface shows "network: connected", "system scan: Compliant", but that's not the case, system scan is not compliant because it never did it when switching over profile and ISE shows posture unknown so the user does not have any access..

0 Helpful
Customers Also Viewed These Support Documents