Hey Gagandeep, thanks for the reply.

Sorry for the delay getting back to, its been a very busy couple of days.

No, I don't believe there is any Proxy setup on our 4510R+E. Would there be any kind of generic configuration on the switch that I should look for to verify this for sure? I know we have a WSA, but it's only currently running in our remote branch locations, which do not yet have AnyConnect, only our HQ does.

We were able to get most of our clients past this point of "No Policy Server Detected" and now we seem to be having another issue with AnyConnect. Even though the client's ISEPosture Module is displaying them as "Compliant", the ISE LiveLog is showing them as getting the Authorization policy for posture Unknown. And so far the only way to fix this was to right click the AnyConnect icon in taskbar and click on "Network Repair". For a few PCs we had to click Network Repair a few times and others had to be rebooted, as well as Network Repair. This morning alone we had 20 or so PCs that needed this done for them, and all were not the same model of PC. Some were Dells, some were ThinkPads, etc...

We thought this issue was only occurring when a PC was in Sleep mode for an extended period and upon wakeup, AnyConnect would go Compliant. However, ISE reports them as getting the "Unknown" auth policy, until one or more Network Repairs are performed on the client.

Any idea if this is a known issue with AnyConnect and ISEPosture?

Thanks,
Matt

I was like searching from Microsoft KB articles and found below information.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f7cf5b7-b2cd-4c30-91a4-102cca13610f/8021x-user-auth-authenication-fails-after-reboot-logoff-or-hibernation?forum=w7itpronetworking

User is able to logon to Windows but receives a "Authentication Failed" message. The user receives this message due to a re-logon, hibernation, or even a total reboot.

Workaround: User must disable/enable network adapter, change a network adapter setting (any setting, just as long as something changes that's non-trivial to the setup of course), or disconnect/reconnect the Ethernet cable from the adapter. Any one of these events triggers a ReAuth and it successfully connects them and they stay connected until a hibernation, logout, or reboot.
You can also check the event logs on Windows client.

DOT1X switch commands meaning

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/commmand/reference/3750cr/cli1.html

Switch Configuration Required to Support Cisco ISE Functions

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html#wp1059672

Regards

Gagan

ps: rate if it helps!!!!!

Hey Gagandeep, thanks again for the reply, and for searching around for that. Much appreciated!

That sounds like almost exactly what we are experiencing. But, we setup ISE and the clients to do Machine Authentication and not User Auth, do you think this make a difference? I noticed in the articles they mention the issue is caused when User authentication is being used with 802.1x.

I'm going to include some screenshots of the Windows native supplicant. Not sure if that is were the issue is lying or not but wanted to show what those settings are.

Also, I'm going to have to double check this, but I believe when we see the AnyConnect client showing "Compliant" and the ISE Server showing them getting the "Unknown" authorization profile, if you run "show auth sess int GiX/XX" for the device in question's port on our 4510R+E which is configured for ISE, it shows the PC as Authenticated for dot1x.

Thanks Again,
Matt

Let me know if my most recent question below should be asked in a new Post? Wasn't sure if it was too far off the original topic or not..?

Thanks,

Matt