Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
178
Views
1
Helpful
2
Replies

Issue with Cisco ISE Posture when Users Connect via Wi-Fi (WLC 9800)

nicoff
Level 1
Level 1

‎10-10-2024 05:30 AM

We're currently experiencing an issue with Cisco ISE Posture when users are connected via Wi-Fi, and we're hoping to get some insights or suggestions.

Here's the problem:
When the option "Perform posture assessment every time a user connects to network" is enabled in ISE, it creates an infinite loop that forces the user to always go through the client provisioning portal.

However, if we remove the portal ACL on the WLC as a test, the issue disappears, and users are able to initiate the scan via the AnyConnect button without getting stuck in the loop or receiving the "Unable to detect Posture Agent" message.

Everything works fine when we use the "Perform posture assessment every X Days" option, but we can't figure out why we're seeing this behavior with the WLC when using the first option.

Has anyone encountered a similar issue or have any suggestions on how to resolve this?

Thanks in advance for any help!

0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎10-10-2024 06:40 AM

@nicoff 

My comments.

  "When the option "Perform posture assessment every time a user connects to network" is enabled in ISE, it creates an infinite loop that forces the user to always go through the client provisioning portal."
 The question to be made here is why client go to the provisioning portal. Meaning, the client should be sent to the portal if something is not find in the client, right?

"However, if we remove the portal ACL on the WLC as a test, the issue disappears, and users are able to initiate the scan via the AnyConnect button without getting stuck in the loop or receiving the "Unable to detect Posture Agent" message."

 If you remove the ACL the problem disapears because the redirect will not take place.

"Everything works fine when we use the "Perform posture assessment every X Days" option, but we can't figure out why we're seeing this behavior with the WLC when using the first option."

 Probably it will break when the X days comes. If the "Perform posture assessment every X Days" flag set, the ISE is not executing the posture assesment and it is not triggering the problem. But. when the period get to an end. the problem will probably happen again.

The conclusion is not simple here but the line of investigation should be try to identify why the ISE is forcing the client to be provisioned.  IF the ISE were able to validate that the client have all it needs, it should not send the client to the portal over and over.

 

 

nicoff
Level 1
Level 1
In response to Flavio Miranda

‎10-12-2024 01:24 AM

Thanks for helping me thinking.

"The question to be made here is why client go to the provisioning portal. Meaning, the client should be sent to the portal if something is not find in the client, right?"

Last Known Posture Compliant Status is enabled so I expect not to be redirect to the client provisioning portal.

We have in place the same configuration for VPN users and users that connects to the network using a ethernet cable and the problem doesn't occur. So what's wrong on the WLC? 

0 Helpful
Customers Also Viewed These Support Documents