Solved: Windows Login issue with ISE posture after User password expires

MALi-786 · ‎12-26-2019

I am running posture with AnyConnect 4.7 in my environment but now facing an issue after the user windows password expires.

1- User windows password expires

2- User reset at the time of login

3- Got the message for successful password change.

4- Tried to login with a new password but not working.

5- User able to login with old password but posture not working.

Any idea how to fix this issue. I tried in posture redirect ACL by allowing any to AD.

Jason Kunst · ‎01-02-2020

Did you try opening most everything first, make sure that works and start restricting?

View solution in original post

MALi-786 · ‎01-16-2020

It's fixed now. I am was allowing tcp but not udp. After I allowed the required ports for udp it starts working fine.

View solution in original post

Mike.Cifelli · ‎12-26-2019

How is your authz policy & redirect acl setup? Sounds like that user is able to get back in via cached creds. What conditions are you utilizing to kick off posture scan?

MALi-786 · ‎12-26-2019

Compliant--> Result--> Permit
Non Compliant --> Deny
Unknown Compliant --> Posture Redirect
1. AUTH Profile: DACL (Redirection)
2. Web Redirection -> ACL ->CP Portal

Yes, they are using cached credentials due to some issue which I am trying to identify. AD is working fine with ISE and I checked by testing user.

Jason Kunst · ‎01-02-2020

Did you try opening most everything first, make sure that works and start restricting?

MALi-786 · ‎01-16-2020

It's fixed now. I am was allowing tcp but not udp. After I allowed the required ports for udp it starts working fine.