Solved: Re: ISE Posture Status - Compliant to Unknown

Mohammad Raza Meer · ‎03-06-2021

Hello All,

I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details

1. We are using ISE version 2.7.

2. Two different series of Cisco Switches 2960x and 9200

3. No issue faced by users who are connected on 9200 series switches

4. For users connected on 2960x series switches, there are two issues

4.1 users move from Compliant State to Unknown state, even after doing multiple Network Repairs on end user side, it doesn't get back to Compliant state.

4.2 users when in Compliant State don't have any network access. They will have an IP Address through DHCP but they cannot ping Default Gateway.

We have enabled dot1x authentication for end users and have 3 Authorization Policies

Compliant Authorization Policy

NAS Por Type: Ethernet,

Posture Status: Compliant

EAP Chaining Result: User and Machine both succeeded.

Non-Compliant Authorization Policy

Posture Status: Non Compliant

Unknown

Posture Status: Unknown

Strangely we started facing these issue in 2960x when we upgraded IOS image from 15.0 to 15.2(2)E6.

Before the upgrade of the switch, users were connected and had network access, once compliant they will stay compliant.

Reason for the switch upgrade was that in 15.0 image, users were not automatically redirected to Client Provisioning Portal to download Cisco Anyconnect software from the portal. After IOS upgrade, redirection to client provisioning portal issue has been resolved but facing two new issues as mentioned above.

I have attached switch configuration of 2960x. Please check if you find anything missing.

Marcelo Morais · ‎03-08-2021

Hi @Mohammad Raza Meer

it's correct for a User to hit the "Unknown Authorization Policy" because the Posture Status is Unknown, at this point, an Authorization Profile that contains the Redirect URL must be applied ... the question is, why the User is not hitting the Posture Status of Compliant on ISE?

Could you please check the Posture Status of the User at:

Work Center > Posture > Reports > Reports > Posture Reports > Posture Assessment by Endpoint

PS.: good news about the dhcp snooping, but also interesting ... did you only have to apply the ip dhcp snooping command globally?

Hope this helps !!!

View solution in original post

Mohammad Raza Meer · ‎03-10-2021

Hi @Marcelo Morais

I checked the Authentication and Accounting Servers, both are same PSN Nodes.

I opened TAC case and the engineer requested for the DART Bundle when the end device has hit the "Unknown Authorization Policy" and not moved to "Compliant Authorization Policy".

This is the response from the Engineer

"On the first attempt for the 13:21 I can see that all probes are unreachable while being able to reach out directly to ISE. This would point out the issue in the configuration for the redirect but the next discovery attempt at 13:28 did succeed for the redirect probe sent to discovery host. This would point to the issue being intermittent.

On top of the 13:28 issue we can see that anyconnect does receive redirection URL’s for all 3 probes and only 1 of them was successful, since all 3 URL’s are the same, it would also would point to the issue being somewhere in the network. I’m doing some further internal checks regarding this behavior

View solution in original post

Marcelo Morais · ‎03-07-2021

Hi @Mohammad Raza Meer ,

first of all ... the 2960X - 15.2(2)E6 is compatible with ISE 2.7 (ISE Compatibility Matrix Network Component Compatibility 2.7 - search for Validated Cisco Access Switches).

second ... use the following commands to check what is happening during the issue:

show authentication sessions interface <interface> details
debug dot1x all

Hope this helps !!!

Mohammad Raza Meer · ‎03-07-2021

Hi @Marcelo Morais

Thank you for your response!

Users on 2960x are hitting the same authentication and authorization policies that users on 9200 series switches are hitting. Posture status will be compliant.

Today i fixed one of the issues faced, i went to Operations-> Diagnostic Tool -> Configuration Evaluator and i saw that DHCP snooping commands are shown as mandatory. i run dhcp snooping commands on the switch. After this modification in configuration, users on 2960x switch when in Compliant state (both on computer side and in ISE Radius Live logs) they will have Network/Internet Access. DHCP snooping configuration was not required on 9200 series switches and the users there are working without any issue.

Second issue that i am facing, still working on it. not yet resolved. For testing, i restarted the computer to see if the user will get the network access once his system is rebooted, what happens is that the user hits unknown authorization policy but on user side it will show Compliant. on Switch show authentication session interface gig x/x will show that user has URL redirect and REDIRECT-ACL applied to it. End user will be redirected to the client provisioning portal. URL redirect should not be applied on the user side when he already has the anyconnect software installed and previously it has been compliant. (or in other words User should not hit the Unknown Authorization Policy)

Marcelo Morais · ‎03-08-2021

Hi @Mohammad Raza Meer

it's correct for a User to hit the "Unknown Authorization Policy" because the Posture Status is Unknown, at this point, an Authorization Profile that contains the Redirect URL must be applied ... the question is, why the User is not hitting the Posture Status of Compliant on ISE?

Could you please check the Posture Status of the User at:

Work Center > Posture > Reports > Reports > Posture Reports > Posture Assessment by Endpoint

PS.: good news about the dhcp snooping, but also interesting ... did you only have to apply the ip dhcp snooping command globally?

Hope this helps !!!

Mohammad Raza Meer · ‎03-08-2021

Hi

This is what i did now for testing

On switch shut/no-shut on user interface

User status on computer shows compliant and network access allowed
On switch show authentication session interface gig x/x detail, it shows REDIRECT-ACL applied and URL redirect applied
On cisco ISE Radius live logs user hits the “Unknown Authorization Policy” and stays in this state
Waited for some time, status doesn't change in ISE Live logs.
Did Network repair 2 to 3 times on user side and the user hits the “Compliant-Authorization-Policy” in Cisco ISE Radius Live logs
User will get the Network Access

Now the question is that its okay for the user to hit "Unknown Authorization Policy" at first but it should complete the Network Scan and move to the "Compliant Authorization Policy" automatically without user intervention and doing network repair 2 to 3 times.

I checked the Posture status as mentioned in your comment, and i found that at both times (unknown-auth-policy and compliant-auth-policy), user's end machine is showing status Compliant in posture assessment report. Only difference in the two reports is that "username" when in unknown-auth-policy is the "mac address of the machine" and the username is the "actual user-id" of the user when "compliant-auth-policy"

Marcelo Morais · ‎03-08-2021

Hi @Mohammad Raza Meer ,

the User should first hit "Unknown Authorization Policy", complete the Network Scan and move to the "Compliant Authorization Policy" automatically.

Please take a look at:

Operations > Reports > Reports > Endpoints and Users > RADIUS Authentication and also RADIUS Accounting

if the Authentication and Accounting has the same PSN Node.

Hope this helps !!!

Mohammad Raza Meer · ‎03-10-2021

Hi @Marcelo Morais

I checked the Authentication and Accounting Servers, both are same PSN Nodes.

I opened TAC case and the engineer requested for the DART Bundle when the end device has hit the "Unknown Authorization Policy" and not moved to "Compliant Authorization Policy".

This is the response from the Engineer

"On the first attempt for the 13:21 I can see that all probes are unreachable while being able to reach out directly to ISE. This would point out the issue in the configuration for the redirect but the next discovery attempt at 13:28 did succeed for the redirect probe sent to discovery host. This would point to the issue being intermittent.

On top of the 13:28 issue we can see that anyconnect does receive redirection URL’s for all 3 probes and only 1 of them was successful, since all 3 URL’s are the same, it would also would point to the issue being somewhere in the network. I’m doing some further internal checks regarding this behavior

Marcelo Morais · ‎03-10-2021

Hi @Mohammad Raza Meer

thanks for the feedback !!!

Please take a look at: ISE Posture Style Comparison for Pre and Post 2.2, for a better understand of the Posture process:

"...

Step 12. In ISE 2.2, posture process is divided into two stages. First stage contains set of traditional posture discovery probes to support backward compatibility with deployments which relays on URL Redirect.

Step 13. First stage contains all traditional posture discovery probes. To get more details about the probes please review Step 20 in Pre ISE 2.2 posture flow.

Step 14.Stage two contains two discovery probes which allows AC ISE posture module to establish connection to the PSN where session is authenticated in environments where redirection is not supported. During stage two all probes are sequential

..."

Hope this helps !!!

Mohammad Raza Meer · ‎03-08-2021

Regarding DHCP Snooping

Yes i applied ip dhcp snooping commands that were given in ISE configuration evaluator (3 to 4 commands) and after this the user has got network access. Before DHCP snooping was applied on switch, user will not have any network access even after reaching step-5 above.