We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.
We have experienced two problems:
1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;
a - without any indication on the CAM i.e. no online users, no certified devices b - the switch is still in the 'unauthenticated vlan' and the c - ip address of the client is on the 'untrusted' subnet. d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.
It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.
The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.
The problem is there is no indication of this user on the system at all, this happens a couple of times a week.
2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above), about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).
Close the agent and do it the second time and it will work.
I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?
Cisco Privacy Survey highlights the emergence of “Privacy Active” consumers. People care about privacy, but to what extent does it guide their consumer behavior and their actions to protect their personal information? In our new Cisco Customer Privac...
Threat Response integrates with Cisco Email Security in one of two ways: Directly from the ESA, or via an SMA. Each has its own module, but either will bring email visibility into your investigations performed in Threat Response.
Via an SMA:
Earlier this year, we released Cisco Identity Services Engine (ISE) 2.6. It delivered a broad new set of features and greater scale - a big stride for both better NAC services that ISE delivers and better Software-Defined Access. Today, we’re thril...
Integrating Cisco Identity Services Engine with Cisco Meraki Systems Manager
Technical Marketing Engineer, Cisco Systems, Inc.
Cisco Meraki Systems Manager is a cloud base endpoint management solu...
Existing customers may download the Cisco Identity Services Engine (ISE) 2.7 which was released on November 18, 2019. For 90-day evaluations of ISE, please see How to Get ISE Evaluation Software & Licenses.