cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

636
Views
0
Helpful
2
Replies
David Milne
Beginner

ISE 2.3 Posture - User name change detected for the session

Evening everyone.

Having an issue with temporal agent posture check for BYOD clients and I'm not sure if it's client config causing it, or something on the ISE side.

What I'm seeing is that when a client connects and gets redirected to download the temporal agent, the RADIUS Live Logs show the identity as user@domain. Once the posture check is done and a CoA is issue, the client then appears in the live logs as just user rather than user@domain

If I look at the report for the new authorisation, it has a line that says "User name change detected for the session.Attributes for the session will be removed from the cache."

What that means from a user POV is that they need to re-run the posture assessment a second time, and then after another CoA and reauth the endpoint keeps the PostureStatus attribute as either Compliant/Non-Compliant and get appropriate access.

I saw bug CSCuj34004 that appeared to relate to my symptoms, but the workaround doesn't seem to work in my case. The BYOD policies are ordered such that compliant/non-compliant are ahead of unknown already, but the issue persists. Furthermore, all of my authentications are user authentication - there's never a change from machine to user auth.

Has anyone observed similar behaviour before? I've had a poke around my client settings on my test machine but I can't see anything that would cause it to change the username it sends for 802.1x auth, so I'm not sure if that's being influenced by the temporal agent or not, or if there's something I can do on the ISE side to work around the issue.

I've attached a screenshot of the RADIUS Live Logs showing the changing identity and showing how it seems to cause me to hit he 'UNKNOWN' BYOD policy twice.

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

It seems an issue with the Cert auth profile and TAC opening a bug on it.

View solution in original post

2 REPLIES 2
hslai
Cisco Employee

CSCuj34004 is an old bug and should only be applicable to ISE 1.x, but not ISE 2.x.

Please engage Cisco TAC to take a look and see why your DOT1X supplicant sending ISE different formats for the username and why ISE not normalizing them and treating them as the same username.

hslai
Cisco Employee

It seems an issue with the Cert auth profile and TAC opening a bug on it.

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel