Evening everyone.

Having an issue with temporal agent posture check for BYOD clients and I'm not sure if it's client config causing it, or something on the ISE side.

What I'm seeing is that when a client connects and gets redirected to download the temporal agent, the RADIUS Live Logs show the identity as user@domain. Once the posture check is done and a CoA is issue, the client then appears in the live logs as just user rather than user@domain. 

If I look at the report for the new authorisation, it has a line that says "User name change detected for the session.Attributes for the session will be removed from the cache."

What that means from a user POV is that they need to re-run the posture assessment a second time, and then after another CoA and reauth the endpoint keeps the PostureStatus attribute as either Compliant/Non-Compliant and get appropriate access.

I saw bug CSCuj34004 that appeared to relate to my symptoms, but the workaround doesn't seem to work in my case. The BYOD policies are ordered such that compliant/non-compliant are ahead of unknown already, but the issue persists. Furthermore, all of my authentications are user authentication - there's never a change from machine to user auth.

Has anyone observed similar behaviour before? I've had a poke around my client settings on my test machine but I can't see anything that would cause it to change the username it sends for 802.1x auth, so I'm not sure if that's being influenced by the temporal agent or not, or if there's something I can do on the ISE side to work around the issue.

I've attached a screenshot of the RADIUS Live Logs showing the changing identity and showing how it seems to cause me to hit he 'UNKNOWN' BYOD policy twice.