Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Posture for non-agent device problem

I have a couple of questions:

- They said it the documents: "these (non-agent) devices assume the Default Posture Status settings". I wonder how ISE determines that a device is a non-agent device, or to put it another way, when is the Default Posture Status settings applied to a device? Is it after some period of time not receiving anything from the agent? If yes, can and where do I change that time in ISE?

- I tested this with my lab and saw that: after the user successfully login with his account, and the Authorization profile with Client provisioning is applied to that session, the user goes to a web page and gets redirect to the CPP page. Now if he just sits there and doesn't install the NAC agent, I noticed that after about 40s, the session is automatically restarted to a new one, with a different session ID, but the same username. The new session gets to the point where the same redirect Authorization profile is applied and the whole process cycles over and over. Things I observed each time the session restarts:

+ The user doesn't even have to enter the credentials again. The 802.1x login doesn't popup 

+ The Default Posture status (I set it to Noncompliant) is applied to the session right before it restarts. I can see an event on ISE indicating that. The event also shows the Acct-Terminate-Cause as "Admin Reset"

+ If at any point, the user installs a NAC agent then he can break the cycle (e.g becomes compliant) and carry on with other Authorization profiles

So my question is: is that expected behavior of ISE? Although it seems no harm except new sessions are created continously

Or have I configured something wrong?

New Member