cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1907
Views
8
Helpful
9
Replies

ISE CPP & Posture Check

Ali
Level 4
Level 4

Hi Community,

I have a doubt over the below scenario how the policy flow works.

If an Endpoint have AnyConnect Agent(4.5) installed with Posture module (4.5) and Compliance Module(3.6) and on ISE we have configured Client provisioning Policy and Posture Policy checks with Mandatory Requirements for the same Agent.

When an Endpoint connects to the network will it go through Client provisioning Policy (or) It will only go for Posture Policy Check (or) both Policy checks will be done.

Second one : is it necessary to have Client provisioning policy on ISE. We are manually deploying Any connect Agent installation with Posture Module and Compliance Module along with Windows image installation.

Need helpful clarification

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

This TechNote has a good breakdown and illustration of how the Posture flow works for both Pre-2.2 and Post-2.2. You can see how the redirect to the Client Provisioning Policy is build into the overall Posture flow.

Regardless of whether you pre-deploy the Posture agent via software management tools, ISE still does a check against the CPP to determine what agent it needs to check for (NAC Agent, AnyConnect, Temporal, etc) on the client.

ISE posture style comparison for pre and post 2.2 - Cisco

-Regards

Greg

View solution in original post

9 Replies 9

Greg Gibbs
Cisco Employee
Cisco Employee

This TechNote has a good breakdown and illustration of how the Posture flow works for both Pre-2.2 and Post-2.2. You can see how the redirect to the Client Provisioning Policy is build into the overall Posture flow.

Regardless of whether you pre-deploy the Posture agent via software management tools, ISE still does a check against the CPP to determine what agent it needs to check for (NAC Agent, AnyConnect, Temporal, etc) on the client.

ISE posture style comparison for pre and post 2.2 - Cisco

-Regards

Greg

Hi Gibbs,

Thank you for he TechNote, I have Gone through the document, its very well explained.

I have a doubt, in the Posture Flow for Pre-2.2.

In Step 20 and 21 it states  Posture module is the one that Initiates Policy Server Detection by sending Probes and established Connection to the CPP.

and in Step 26 its States that Posture Module Collects information about the system(OS Version, Installed Security products and their Definition Version) this collected information(Report) is sent to ISE.

ISE makes the Endpoint Compliance Status decision based on the report. Till here every thing is well and good.

My doubt is what is the use of "Compliance Module"  ?  also we use the Compliance Module while creating Posture policy.

As posture module is the one that is collecting information and sending it to ISE.

Thanks,

Ali

Both are needed as part of the Posture function. The Posture module is essentially the agent and front-end, while the Compliance module mostly provides a library for the assessment and remediation of various 3rd-party products (e.g. anti-malware, patch management, disk encryption, etc.)

Newer versions of the Compliance module typically add support for new vendor products or versions.

You can see the support charts for the various versions of the Compliance Module here:

Cisco Identity Services Engine - Compatibility Information - Cisco

Hi Gibbs,

In the below possible scenarios how ISE determines posture status based on which condition.

1.Both Client Provisioning and Posture Policies are present – The compliance status is determined based on the posture check

2. Client Provisioning is missing and Posture Policy are Present - The compliance status is determined based on the posture check

3.Client provisioning policy is present, Posture policy is missing - How Compliance status is determine for this

(++ default Posture Status is set to Non-Complaint in Posture Setting)

4. Both Client Provisioning and Posture Policies are missing. How Compliance status is determine 

Here we have the following options:
(++ default Posture Status(Administration -> System -> Settings -> Posture -> General Settings) is set to Non-Complaint       what will be the Status ?   

   (++ default client provisioning configuration (Administration -> System -> Settings -> Client provisioning, “Native Supplicant      Provisioning Policy Unavailable” option is set to “Apply defined authorization policy”).  what will be the Status ?

  (++ if we change “Native Supplicant Provisioning Policy Unavailable” to “Allow network access”) what will be the Status ?

To be honest, it's been a few years since I've tested these failure scenarios, so I'm not sure I can confidently answer these questions.

hslai or chyps, are you able to help shed some light on these scenarios or point to documentation that does?

Hello Gibbs,
 
In our environment user unlock the screen when they are off shift, so the same session will be there for the user as the endpoint  has not got disconnected from network.
So, If a user doesn’t get disconnected from network how long ISE keep the Posture Status as Complaint in its database, as Posture lease is set to “ Perform Posture assessment every time a user connects to the network”

As per the Cisco Document Posture Process is Launched in below Situations

1) After Network Interface status (up/down)
2) Default gateway change
3) System restart

In our Environment sometimes the above 3 situations will not match for more than a week or two, along with that Periodic Re-assessment is not configured, so how long ISE keep the posture status of an Endpoint, does ISE have any default Posture time for the Endpoints ?

Thank you

Nidhi
Cisco Employee
Cisco Employee

if PRA is not configured, you can make use of the timeout in authorization profile to run the check again .

Since PRA is not configred. AS long as the radius Session stays up the posture session information stays the same and there is no change in state

perhaps the device or nic is going to sleep.

you need to look at the logs for a session change and perhaps get a DART file when it happens to debug further with tac

Thanks @Jason and Nidhi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: