Hi,   You can't use them both - i.e. in the same auth session. When using windows supplicant you can use machine OR user. When you just power on your PC, your OS will send its machine credentials. After user login, it will send user credentials. Check this picture.   Thanks, Octavian   ... View more

Hi, Do you have any track on the route? If the route is down because your interface is down, I don't see any reason for the connections to remain in the conn table.   If the route is not removed because of an interface down reason, I'd look at this:   ----------------------------------- Routing convergence & connection timers   (config)#timeout floating-conn 0:00:00 (config)#timeout conn-holddown 0:00:15   timeout floating-conn hh:mm:ss—When multiple routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the  connection never times out). To make it possible to use better routes, set the timeout to a value between 0:0:30 and 1193:0:0.   timeout conn-holddown hh:mm:ss—How long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the  connection is freed. The purpose of the connection holddown timer is to reduce the effect of route flapping, where routes might come up and go down quickly. You can reduce the holddown timer to make route convergence happen more quickly. The default is 15 seconds, the range is 00:00:00 to 00:00:15.   -----------------------------------   Thanks, Octavian ... View more

Hi,   Do you have user and/or machine auth? What suppliant are you using?   Thanks, Octavian ... View more

Hi, Now I understand your concern. Please let me know if it worked.   Regards, Octavian ... View more

Hi, Why is it troublesome to do it this way? This is how I did it and I see no issue with it.   I remember having some issues with the fact that the same profile would have to be configured/synced both on ISE and ASA, but I guess this would be a false issue because normally, one you're done with the config you're not changing it on a daily basis. You just place the same profile both on ISE and ASA and done. In case you'd need to update anyconnect, you'd place the newer version on ASA and it will be updated for sure.   Regards, Octavian ... View more

Hi,   It should work. --------------------------- You have to check for the parent profile configuration:   parent profile General_CORP_Printer total certainty factor = 50 (just an example) Conditions: if OUI or entire MAC is/contains X  = 50 points + take network scan action --------------------------- Make sure the global SNMP community string is public or whatever custom community you've configured on your printer. --------------------------- Check if you printer is indeed identified as being General_CORP_Printer. --------------------------- The first connection of the printer should match a profile that allows for network access (with dACL allowing access to ISE - return traffic for the scan part) --------------------------- Your switch should have IP Device Tracking on so that ISE learns printers IP. In order to 'stimulate' the printer you should configure authentication control-direction in   If nobody connects to the printer (wants to print), the printer itself will not generate any traffic, thus the switch will not learn its IP, thus ISE will not know the IP to scan. (do a ping to the printer so that you trigger an ARP on the L3/printer's gateway; the printer will get the ARP request - auth control-direction in - will want to respond; IP Device Tracking will kick in and know the printer's IP.   Regards, Octavian     ... View more

Hi, I don't see anything wrong in your second set of pictures. I assume that after you download the client you get the same error.   Have you checked this tutorial? https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html   I noticed that your redirect URL is quite simple, with not exceptions. This may be the issue, even though the default deny (no redirect) should allow any other traffic (including ISE). One more thing, beware of NAT config. Make sure your NAT config except VPN to Internal from any PAT.   If I were you, I'd check these: - DNS (maybe the client can't resolve ISE FQDN at some point) - split tunnel vs full tunnel (I'd test with full tunnel just to make sure all traffic is diverted towards ASA) - identity NAT for pool to internal and PAT for internet (for some reason the redirect may not work sometimes because of NAT; something to do with NAT order of operations) - newer version of ISE/AC? (last time I've used directly the callhome option in the AC xml posture profile and it worked like a charm)   One more thing, based on your ISE version, this may help you to understand how things work and possibly what's wrong in your case: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html   Regards, Octavian ... View more

Hi,   [qoute] We cannot use the default authorization policy since not all devices that reach this point are new devices. [/quote]   If the device is not new and it was already profile, it will not match this rule but a top rule. I don't see any issue with having a default rule for MAB devices where you'd put a dACL with DNS/DHCP access.   Regards, Octavian ... View more

Hi, The discovery host should be any IP that's inside the tunnel that can trigger the redirect to ISE. It's not recommended to be ISE. Give it a go like I suggested.   Thanks, Octavian ... View more

Hi, Don't know why you'd want this :) Still, if you need it for MAB (I assume this is the case) you could use (in an authorization policy) a rule saying "request = MAB + authentication failed (or not found - you have to check)   The 1st time you see a MAC it will match MAB 'continue' option for 'user not found'. (thus failed auth?)   The 2nd time you're seeing this device (not new anymore), it won't hit the 'continue' option from MAB authentication, because the endpoint already exists in ISE.    Regards, Octavian ... View more