Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
0
Replies

ISE Posture – Long boot and no network access

Sarah Ives
Level 1
Level 1

‎08-25-2025 02:44 PM

 

I have been troubleshooting this for months, so any help will be appreciated.

Users are running Windows 11 on our on-prem wired network and requires DUO push authentication upon login. The current Cisco Secure Client and ISE Module version is 5.1.7.8.

This is what our Policy set is:

Compliant: Within Active Directory computer domain, Posture status is Compliant, and DACL allow ip any any

Unknown: Within Active directory computer domain, Posture status is Unknown, and DACL allow Posture communication, DUO authentication, communicate with internal Domain controllers, DHCP, LDAP, DNS, Kerberos, RADIUS, HTTP/HTTPS, etc.

Uncompliant: deny any any

Once the users power their computers up, it takes about a minute to boot up. Upon user credential login, they get an infinity spinning wheel at the Other User screen and they don’t get DUO push. However, when they unplug from wired and connect to wireless, the Other User screen switches immediately to their username and logs in. (Wireless doesn’t have posture and has DACL allow IP any any). Once reconnecting to wired it is fine, and posture is green. I believe the issue is the time away from the network and the DACL configuration. Any ideas as to what I could be missing or need to remove?

Here are our Posture settings:

SarahIves_0-1756156776469.png

 

 

And DACL

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

permit tcp any any eq 443

permit tcp any any eq 80

permit tcp any any range 1024-65535

permit tcp any host ise-server eq 443

permit tcp any host ise-server eq 443

permit tcp any host ise-server eq 80

permit tcp any host ise-server eq 80

permit tcp any host ise-server eq 8443

permit tcp any host ise-server eq 8443

permit udp any any eq 68

permit tcp any any eq 88

permit tcp any any eq 123

permit tcp any any eq 135

permit udp any any eq 137

permit udp any any eq 138

permit tcp any any eq 139

permit tcp any any eq 389

permit udp any any eq 389

permit tcp any any eq 445

permit tcp any any eq 636

permit udp any any eq 636

permit tcp any any eq 464

permit udp any any eq 464

permit tcp any any eq 8905

permit udp any any eq 8905

permit tcp any any eq 8843

permit udp any any eq 8843

permit tcp any any eq 8449

permit udp any any eq 1812

permit udp any any eq 1813

permit tcp any any range 49152 65535

permit tcp any any range 3268 3269

permit tcp any host KMS-server eq 1688

permit tcp any host CA-Server eq 135

permit ip any host ise-server

permit ip any host ise-server

permit ip any host domain-controller

permit ip any host domain-controller

permit ip any host SFTP server

permit ip any DUO server

permit ip any DUO server

permit ip any DUO server

permit ip any DUO server

deny ip any any

 

Thanks in advance. 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents