Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
1
Replies

ISE Wireless posture non-compliant to unknown loop

jperez netics
Level 1
Level 1

‎11-23-2023 08:24 AM - edited ‎11-23-2023 08:30 AM

i'm currently implementing ISE posture on one of my clients, but i'm facing an issue when the endpoint get a non-compliant status, it automatically goes to a unknown state and start re-scaning

The expected behavior is that if and endpoint goes to a non-compliant status, it receives like guests only-internet access with ACL (airspace and DACL)

The redirection portal and compliant status works fine.

I have the unknown and non-compliant authorization profiles with vlan change but i don't know if this trigger the re-scanning

What can be the issue?

Context information:

  • ISE 3.0
  • Anyconnect 4.10
  • Compliance Module: 4.3.3685

 

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎01-01-2024 09:41 PM

@jperez netics

As you have VLAN changes between unknown and non-compliant, it's expected that AnyConnect ISE posture module performs a re-scan. I would suggest blocking such non-compliant clients from accessing ISE on TCP 8905 and on TCP 8443 (or the port assigned for the ISE client provisioning portal).

0 Helpful
Customers Also Viewed These Support Documents