Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1486
Views
10
Helpful
4
Replies

VLAN does not change after and endpoint is compliant

Go to solution
dgaikwad
Level 5
Level 5

‎01-28-2020 04:12 AM

Hi Everyone,
I have setup a pretty basic policies,
A user authenticates
Posture is run in a limited access VLAN
When the endpoint is compliant, VLAN changes to the production VLAN

Posture runs, AnyConnect reports endpoint as compliant.
But, ISE it says that its still stuck in pending state and on the switch its still shows that the URL redirect is applied.
Even when I bounce the port manually, the same chain of events is repeated.

What am I missing here?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-28-2020 01:04 PM

There are a number of variables to the Posture flow, but some of the more common issues would be related to the order of the Authorization Policies or something wrong with the Change of Authorization (CoA).

I would suggest first looking in the Live Logs for any CoA errors (Dynamic Authorization Failed) and comparing your setup against the ISE Posture Prescriptive Deployment Guide

 

Cheers,

Greg

View solution in original post

4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-28-2020 01:04 PM

There are a number of variables to the Posture flow, but some of the more common issues would be related to the order of the Authorization Policies or something wrong with the Change of Authorization (CoA).

I would suggest first looking in the Live Logs for any CoA errors (Dynamic Authorization Failed) and comparing your setup against the ISE Posture Prescriptive Deployment Guide

 

Cheers,

Greg

Go to solution
dgaikwad
Level 5
Level 5
In response to Greg Gibbs

‎02-02-2020 10:26 PM

As off now there are no errors for dynamic authorization failed.
Its that the AnyConnect shows the endpoint as compliant, but then still shows that its in pending state. And it will sit there for a long time and no VLAN change would happen...
So, pre-posture, the machine is in a quarantine VLAN, and post posture compliance, it should get the production VLAN. In my case, the machine still stays in quarantine VLAN only.

What would the flow of troubleshooting that I need to take to resolve or atleast find out why its behaving the way it is...

I am using ISE 2.2
Switch 9200 with iOS 16.9.4

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to dgaikwad

‎02-02-2020 11:41 PM

This document has some of the best details on the Posture flows and some initial troubleshooting suggestions - ISE Posture Style Comparison for Pre and Post 2.2 

This document might also help if you need to look at debug logs in ISE - Troubleshoot and Enable Debugs on ISE 

Go to solution
dgaikwad
Level 5
Level 5
In response to Greg Gibbs

‎02-03-2020 09:41 PM

Yes, I think I would need to check manually if the endpoint is able to resolve to DNS and then enroll.cisco.com, this would in turn verify if the probes are able to reach out to the ISE server.

0 Helpful
Customers Also Viewed These Support Documents