ISE - Posture Lease not applied

ArunNarayanankutty43896 · ‎03-27-2021

Dear community,

I've set the posture lease to 2 days in ISE and it's working as expected in Wireless but whenever the client connects to the wired network it always goes through the posture check.

For additional info, the authentication request always goes to the same PSN node and in the Endpoint Attributes in ISE shows posture expiry time is 2 days for the endpoint.

Kindly advise if some one had similar issue and resolved. Thanks

Arun

Mike.Cifelli · ‎03-30-2021

What version of ISE are you running? How are your global ISE Posture settings configured? What do you have configured for: Cache Last Known Posture Compliant Status

-Is it possible that the wired mac is not present in the ISE DB so ISE thinks the client is new when using wired therefore triggering posture assessment?

-Is it possible that your cache is expiring triggering wired transitions to require posturing?

-What additional tests and info can you share?

ArunNarayanankutty43896 · ‎03-31-2021

Hi Mike,

ISE version is 2.7 Patch 3
Cache Last known posture complaint status is not enabled (Tried enabling and tested but same result).
Endpoint attribute details shows configured posture expiry time (which is 2 days)

Tried deleting the Endpoint from ISE and tested reconnecting multiple time but each time ISE shows device is successfully postured with complaint status, ISE keeps updating the posture expiry value with the new time (before expiring the posture lease).