Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
0
Helpful
3
Replies

ISE posture pending since AnyConnect posture doesn't trigger

Madura Malwatte
Level 4
Level 4

‎04-30-2019 03:55 PM - edited ‎04-30-2019 03:56 PM

ISE 2.3 patch 5 / AnyConnect 4.7

Looking for guidance from the Cisco experts. I was doing some testing of wireless roaming (users IP address does not change) and seeing a behaviour where ISE is waiting in posture pending state since AC doesn't trigger posture check.

Here is the set up:

DataCenter1: psn01, wlc01, ap01 

DataCenter2: psn02, wlc02, ap02

User connects wireless through AnyConnect to ap01 which is registered to wlc01 in dc1 and the radius session goes to psn01. AC does the posture check and psn01 goes from posture pending to compliant. Next, the user roams (IP address does not change) and connects to ap02 which goes to the wlc02 in dc2 and radius request sent psn02. Now psn02 does not know anything about the previous session on psn01 (they are in different node groups, because the psn's are in different data centers), so psn02 shows the session as posture pending state, however AC does not trigger posture check. Hence user is stuck in posture pending state, while AC system scan remains compliant from when it had connected to psn01.

Looks like only the following events trigger AnyConnect to start posture check:

· IP Address change

· Port flap (down/up)

· Default gateway change

· Periodic posture reassessment

In my case none of these will happen as the user maintains the same IP address when roaming. So how do we get AC to trigger posture or ISE to sync posture state from the other psn, because both AC and ISE is out of sync in terms of posture.

I am seeing this issue when moving from wireless to wired - in this case the users IP address changes but they remain on the same subnet so default gateway doesn't change (as per our network design).

0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-01-2019 09:58 AM

A few thoughts on your rather interesting scenario.
If you want workstations to be scanned when connecting to either AP is it possible to disable roaming so that users must reauthenticate when moving to either AP?
Why not put both PSNs in the same subnet in one of the DCs and put them in a node group? Then route traffic from NADs to the one DC. I suppose my question is why are the two DCs & PSNs separated if users dont change networks?
Can you share what types of av-pairs you see in live logs when user roams from A->B?

0 Helpful

Madura Malwatte
Level 4
Level 4
In response to Mike.Cifelli

‎05-07-2019 04:20 PM

Disabling roaming isn't really a solution for us.  I was testing this scenario to reproduce what would happen in a failure scenario, where an ap group or ap would switch over to a different DC. I cannot have all psn's in one DC, need failover capability, hence why I have psn's in both DC's. There is a scenario for wired dot1x ports the switch could have failover over radius to DC2 psn, while wireless is still on DC1 psn. What would happen here when switching between wired and wireless when the users subnet doesn't change? I am seeing users stuck in posture pending state since the new psn doesn't know about the radius session, but AC thinks its all good.

 

I'll try to get the av-pairs. 

0 Helpful

a.lukoyanov
Level 1
Level 1
In response to Madura Malwatte

‎07-09-2019 02:49 PM

The only way I’ve found how to deal with this case is to use posture lease plus posture reassessment. 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_010111.html

 

 

0 Helpful
Customers Also Viewed These Support Documents