Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Wireless Posturing ISE 3.1. Stuck in Unknown after Compliant

rafliraditya
Level 1
Level 1

‎06-26-2023 12:56 AM - edited ‎06-26-2023 05:39 AM

Hi,

We have configured posturing in our Cisco ISE 3.1 patch 6.

The AnyConnect version for ISE Posturing is 4.10, and the Compliance module is 4.3.35.

The authentication profiles are as follows:

  • Auth Profile Compliant: This profile is assigned to VLAN A.
  • Auth Profile Non Compliant: This profile is assigned to VLAN A. (We assigned a posture web redirect ACL from the WLC to this profile, but during troubleshooting, we removed it to see if the ACL was the cause of the problem. It was not, so we took off the ACL from the Auth Profile. We also tried to use different VLAN (VLAN B) to check wether it was going to stuck in VLAN B or not, but for the sake of simplicity, we decided to use VLAN A too in the Non Compliant Auth Profile)

There are 2 Authorization Policies

  • If the endpoint condition is equal to compliant, then assign the Auth Profile Compliant.
  • If the endpoint condition is not equal to compliant, then assign the Auth Profile Non Compliant.

The requirement is that the endpoint must have any anti-malware software installed and any firewall running.

With these configurations, most agents are able to correctly perform compliance checks on the endpoints. However, we have noticed strange behavior with certain endpoints, specifically gaming laptops, such as Asus Tuf and Lenovo Legion.

The behavior is as follows:

  1. The user connects to the Wi-Fi network.
  2. AnyConnect automatically performs a compliance check.
  3. The system scan is completed, and the user is considered compliant (AnyConnect shows "System Scan: Compliant").
  4. The SSID is checked, and it is connected and secured.
  5. The IP address is checked, and it is from VLAN A
  6. The livelog is checked, and the compliant state goes from pending to compliant to pending (and is stuck in pending).
  7. Context visibility is checked, and the compliance status is unknown.
  8. The report is checked, and the posture by condition shows that all requirements are fulfilled, as shown in the endpoint's scan summary.

Since this behavior only occurs with specific brands, we are not sure how to approach the issue.

Thank you,

1 person had this problem
0 Helpful
Who Me Too'd this topic