06-16-2026 01:17 PM - edited 06-16-2026 01:25 PM
Solved! Go to Solution.
06-17-2026 11:45 AM
Hi Bakaholic39,
That Pending is expected, ISE puts every new RADIUS session into Pending unless a posture lease is set. The reason idle timeout triggers it but a session timeout usually doesn't is the session ID: an idle timeout deauthenticates the client, so the reconnect is a brand new association with a new Audit-Session-Id, which ISE resets to Pending. A session-timeout reauth can keep the same ID if your authz profile uses RADIUS-Request (Maintain Connectivity During Reauthentication), so posture survives. That explains the difference but isn't your fix, since RADIUS-Request does nothing for an idle deauth. And on a quick reconnect to the same SSID, the Secure Client module often doesn't see a network change, so it never re-probes and just sits on its cached Compliant.
First thing to rule out: check your posture-unknown authz actually pushes the redirect or a limited DACL. If it hands out access without nudging the agent, nothing prompts CSC to re-probe and a lease would just mask that.
The lease is the right fix for the churn, but pair it with PRA. While the lease is active ISE trusts the stored result and doesn't re-check the endpoint, so PRA re-validates the live session to catch anything that drifts out of compliance. Keep the lease short, 4 to 8 hours rather than days. Raising the 300s idle timeout (your value is the 9800 default, worth confirming) also cuts how often you hit this.
06-17-2026 11:45 AM
Hi Bakaholic39,
That Pending is expected, ISE puts every new RADIUS session into Pending unless a posture lease is set. The reason idle timeout triggers it but a session timeout usually doesn't is the session ID: an idle timeout deauthenticates the client, so the reconnect is a brand new association with a new Audit-Session-Id, which ISE resets to Pending. A session-timeout reauth can keep the same ID if your authz profile uses RADIUS-Request (Maintain Connectivity During Reauthentication), so posture survives. That explains the difference but isn't your fix, since RADIUS-Request does nothing for an idle deauth. And on a quick reconnect to the same SSID, the Secure Client module often doesn't see a network change, so it never re-probes and just sits on its cached Compliant.
First thing to rule out: check your posture-unknown authz actually pushes the redirect or a limited DACL. If it hands out access without nudging the agent, nothing prompts CSC to re-probe and a lease would just mask that.
The lease is the right fix for the churn, but pair it with PRA. While the lease is active ISE trusts the stored result and doesn't re-check the endpoint, so PRA re-validates the live session to catch anything that drifts out of compliance. Keep the lease short, 4 to 8 hours rather than days. Raising the 300s idle timeout (your value is the 9800 default, worth confirming) also cuts how often you hit this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide