Solved: ISE Posture Windows enter password to display desktop very slow

Eric Hansen · ‎09-14-2016

Hello, got a slowness issue that I am not sure how to troubleshoot. ISE 2.0 patch 3, AnyConnect 4.3.02

My setup is Anyconnect which is already on the windows 10 laptop, EAP chaining with TLS for host auth and PEAP for user auth. ISE Posture is checking for windows AV defs and windows AV install. Anyconnect has "start before login" installed and **everything works**. User boots, machine auths before user login, user logs in and ISE Posture check runs and passes. The user gets green check marks across the board.

With one small problem. The moment the user types in the password and hits enter, the welcome screen hangs for about 45 to 60 seconds, on a few rare occasions longer, my high water mark is 1 minute 12 seconds. During this time machine auth and user auth pass with compliance status unknown in the ISE Radius Live Log. Then the welcome screen vanishes and the desktop paints(finally), at this time the machine can not access anything on the network, about 5 seconds later the Anyconnect client starts. 1 second later the network connection bumps, and the ISE Posture scan in the Anyconnect client starts. The ISE Posture scan takes about 7-10 seconds to complete. After that everything is good and the user can access the network.

If ISE Posture check is removed, the entire process takes 10-15 seconds from entering password to the user being able to use the laptop and access internet.

Does anyone have any idea where this 'welcome screen delay' is coming from? Feels like a timeout of some sort. It has happened on this current version of Anyconnect and the 3 previous ones as well. I am focusing on my windows 10 laptop test machine, but the same thing has happened on 4 other test systems that are a mix of windows 10, 8.1, and 7. The win 10 test system is a lenovo x1 carbon with a SSD and is normally quite fast.

Any advice is greatly appreciated.

e-

jan.nielsen · ‎09-15-2016

Do you have the port in one vlan at machine auth, and then change it once both the machine and the user logs in ? Also you probably need to open up whatever acl you are applying while posture is in "unknown" state. It's usually due to some AD access that is being blocked.

View solution in original post

jan.nielsen · ‎09-15-2016

Do you have the port in one vlan at machine auth, and then change it once both the machine and the user logs in ? Also you probably need to open up whatever acl you are applying while posture is in "unknown" state. It's usually due to some AD access that is being blocked.

Eric Hansen · ‎09-15-2016

So no on the VLAN part, planning on doing that later.

I changed the client provision redirect to use a permit any ACL for testing, I also dumped my IP out of my WLC's.

It was still slow on the first pass, but the second was drastically improved. Same with the 3rd and 4th attempts. Welcome screen wait time is down to about 10-15 seconds now, which is huge. What is that thing trying to talk to if not the ISE servers and DNS? I assume at this point a 45 second 'press enter to login' to compliance passing is a fairly normal time frame?

I need to research windows and find a way to make the Anyconnect client launch sooner, my spotify is starting before Anyconnect which seems a bit mental.

jan.nielsen · ‎09-15-2016

First, make sure you are not doing posture redirect at machine login, only at user login, the machine needs a very large array of access when booting.

Once the user logs in, i have had to open up completely to at least all AD servers, on most ports (it's a long list of ports), even in unknown posture, as things will easily break in the windows login process if some network traffic is getting blocked, or even worse redirected, because then you will have to wait for timeouts as the traffic is not actually denied.

AnyConnect does not start before you have logged in to do posture, as there is no reason to, as it can't do much checking untill AV services and everything else has started.

What could be happening is AD login timing out, and then your pc is using cached credentials to login, once posture has run and you grant full access when "Compliant" everything runs as it should.

You could try a deny statement in your ACL with the log keyword, and then look at the logs to see whats getting denied.

Also, Neno has a great diagram of what actually happens before and during windows logon, it's a whole bunch.

https://supportforums.cisco.com/discussion/12945031/using-windows-gpo-cisco-ise