Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
0
Helpful
7
Replies

Wireless Posturing ISE 3.1. Stuck in Unknown after Compliant

rafliraditya
Level 1
Level 1

‎06-26-2023 12:56 AM - edited ‎06-26-2023 05:39 AM

Hi,

We have configured posturing in our Cisco ISE 3.1 patch 6.

The AnyConnect version for ISE Posturing is 4.10, and the Compliance module is 4.3.35.

The authentication profiles are as follows:

  • Auth Profile Compliant: This profile is assigned to VLAN A.
  • Auth Profile Non Compliant: This profile is assigned to VLAN A. (We assigned a posture web redirect ACL from the WLC to this profile, but during troubleshooting, we removed it to see if the ACL was the cause of the problem. It was not, so we took off the ACL from the Auth Profile. We also tried to use different VLAN (VLAN B) to check wether it was going to stuck in VLAN B or not, but for the sake of simplicity, we decided to use VLAN A too in the Non Compliant Auth Profile)

There are 2 Authorization Policies

  • If the endpoint condition is equal to compliant, then assign the Auth Profile Compliant.
  • If the endpoint condition is not equal to compliant, then assign the Auth Profile Non Compliant.

The requirement is that the endpoint must have any anti-malware software installed and any firewall running.

With these configurations, most agents are able to correctly perform compliance checks on the endpoints. However, we have noticed strange behavior with certain endpoints, specifically gaming laptops, such as Asus Tuf and Lenovo Legion.

The behavior is as follows:

  1. The user connects to the Wi-Fi network.
  2. AnyConnect automatically performs a compliance check.
  3. The system scan is completed, and the user is considered compliant (AnyConnect shows "System Scan: Compliant").
  4. The SSID is checked, and it is connected and secured.
  5. The IP address is checked, and it is from VLAN A
  6. The livelog is checked, and the compliant state goes from pending to compliant to pending (and is stuck in pending).
  7. Context visibility is checked, and the compliance status is unknown.
  8. The report is checked, and the posture by condition shows that all requirements are fulfilled, as shown in the endpoint's scan summary.

Since this behavior only occurs with specific brands, we are not sure how to approach the issue.

Thank you,

1 person had this problem
0 Helpful
7 Replies 7

ahollifield
VIP
VIP

‎06-26-2023 05:33 AM

Why are you changing VLANs and not using a dACL?  Out of date wireless drivers?  Are these managed or unmanaged endpoints?

0 Helpful

rafliraditya
Level 1
Level 1
In response to ahollifield

‎06-26-2023 05:46 AM

Hello Ahollifield. from my understanding we only use DACL with VPN posturing using ASA/Wired posturing using Switches. As this is wireless posturing, we're using WLC ACL. CMIIW.

0 Helpful

ahollifield
VIP
VIP
In response to rafliraditya

‎06-26-2023 05:58 AM

Got it, correct for wireless this would just be named AireSpace ACL for the Posture states.  But in your post you state you are changing VLANs between VLAN A and VLAN B?

0 Helpful

ahollifield
VIP
VIP
In response to ahollifield

‎06-26-2023 06:00 AM

Wait did you edit your post?

Anyways, if this is only impacting certain endpoints, the most likely cause is an endpoint issue.

0 Helpful

shark10331
Level 1
Level 1

‎12-11-2023 06:18 AM - edited ‎12-11-2023 06:29 AM

Good day!
Have the same problem, but I faced it on ISE 2.7
Some of our corporate laptops first get compliant status and after several seconds stuck in pending. It looks like it depends on the specific laptop model. For example on dell devices compliant check works fine, acer TravelMate P215-53 also works properly, but all our acer aspire A514-55 stuck in pending. Also these Acer A514 laptops generates more logs on ISE then those, which don't have this problem. As far as I understand they regularly reconnect to ISE and it happens really too often, I think it abnormal behavior. (I'va also uploaded screenshot which demonstrates this behavior)screenshot.PNG 
So I tried to install different versions of wlan and other drivers, also switched between different anyconnect version, but nothing helped to solve this problem. Did anyone face such problem? Any ideas what measures can be taken to solve it?
Thanks!

0 Helpful

ahollifield
VIP
VIP
In response to shark10331

‎12-11-2023 07:26 AM

What is the wireless NAD?  Also I see the name OTP in the authc/authz policy results.  Are you using MFA on wireless?  Is this SSID mac authenticated?  Why not 802.1X?

Also: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-2943876.html

0 Helpful

shark10331
Level 1
Level 1
In response to ahollifield

‎12-13-2023 06:58 AM

@ahollifield , thanks for your reply
Our wireless network is based on AP Cisco AIR-AP2802I-R-K9 and WLC C9800-L-C-K9.
In our case OTP has nothing in common with MFA, it is just naming of our SSIDs. 
Yes, we use 802.1X, EAP-FAST (we check both machine certificate and user credentials, this information was not displayed in the previous screenshot, so I've added a new onescreenshot2.PNG
As for ISE 2.7 so we planned to perform an upgrade, but recently our IT department has bought rather large batch of acer laptops and all of them have the same problem with posture status and frequent reconnections. And that is why we want first to solve this problem, then move to upgrade. Moreover in this topic @rafliraditya has similar problem on ISE 3.1 and it seems to me that the problem is connected with endpoints and not with ISE.

0 Helpful
Customers Also Viewed These Support Documents